From: eadaivs <eadaivs@xxxxxxxx> 1) If we call find_ea() if "bytes" less than 8 then the unpacked_ea_size() is an out of bounds read. 2) The *off + unpacked_ea_size() can have an integer overflow. Link: https://syzkaller.appspot.com/bug?extid=c4d950787fd5553287b7 Reported-by: syzbot+c4d950787fd5553287b7@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: eadaivs <eadaivs@xxxxxxxx> --- Changes in v4: Separate out the issue with the buffer overflow and the integer overflow. fs/ntfs3/xattr.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c index afd0ddad826f..3cd1a24c7bcc 100644 --- a/fs/ntfs3/xattr.c +++ b/fs/ntfs3/xattr.c @@ -41,17 +41,23 @@ static inline size_t packed_ea_size(const struct EA_FULL *ea) * * Assume there is at least one xattr in the list. */ -static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes, +static inline bool find_ea(const struct EA_FULL *ea_all, size_t bytes, const char *name, u8 name_len, u32 *off) { + const struct EA_FULL *ea; + u32 next_off; *off = 0; - if (!ea_all || !bytes) + if (!ea_all || bytes < sizeof(*ea)) return false; for (;;) { - const struct EA_FULL *ea = Add2Ptr(ea_all, *off); - u32 next_off = *off + unpacked_ea_size(ea); + *ea = Add2Ptr(ea_all, *off); + + if (sizeof(*ea) + *off > bytes) + return false; + + next_off = size_add(*off, unpacked_ea_size(ea)); if (next_off > bytes) return false; @@ -61,8 +67,6 @@ static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes, return true; *off = next_off; - if (next_off >= bytes) - return false; } } -- 2.37.2