On Fri, Jul 22, 2022 at 5:51 PM Dipanjan Das <mail.dipanjan.das@xxxxxxxxx> wrote: > > Hi, > > We would like to report the following bug which has been found by our > modified version of syzkaller. > > ====================================================== > description: KASAN: slab-out-of-bounds Read in ntfs_get_ea > affected file: fs/ntfs3/xattr.c > kernel version: 5.19-rc6 > kernel commit: 32346491ddf24599decca06190ebca03ff9de7f8 > git tree: upstream > kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=cd73026ceaed1402 > crash reproducer: attached > ====================================================== Here is our initial analysis and findings regarding this crash (when we run the repro attached to our original report): In `fs/ntfs3/xattr.c`, the memory size `size` allocated to hold all the extended attributes is `60` bytes which is pointed to by `ea_all` in `ntfs_get_ea`. `find_ea` iterates over the `ea_all` by adding an `offset` to current `ea` address to find a matching `ea`. The offset is calculated either using the size of the extended attribute in `ea->size` or using struct size of the `ea`, if `ea->size` is 0. The loop terminates if (1) one matched extended attribute `ea` is found or (2) The calculated offset is greater than `size`. In this case, at one point the calculated `offset` becomes `56` which does not satisfy any of the terminating conditions and therefore it still attempts to find the next `ea`. In order to do that, it calculates the size of the current `ea`. Since current `ea->size` is 0, struct size of the current `ea` is used. During that calculation, the field value `ea->name` is dereferenced to calculate the size occupied by that field and the address of `ea->name` falls beyond the `60` byte slab range. Hence, the slab out of bound occurs. Please let us know if this helps, or we need to dig in further. -- Thanks and Regards, Dipanjan
