syzbot is reporting too large allocation at ntfs_load_attr_list(), for a crafted filesystem can have huge data_size. If -1023 <= (ssize_t) lsize <= 0 range, kmalloc(al_aligned(lsize)) allows writing lsize bytes at ZERO_SIZE_PTR. But since nobody knows the valid range, let's try limiting to 0 < lsize <= 1048576 range (and also add __GFP_NOWARN in case costly memory allocation failed). Reported-by: syzbot <syzbot+89dbb3a789a5b9711793@xxxxxxxxxxxxxxxxxxxxxxxxx> Link: https://syzkaller.appspot.com/bug?extid=89dbb3a789a5b9711793 Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations") Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> --- fs/ntfs3/attrlist.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/fs/ntfs3/attrlist.c b/fs/ntfs3/attrlist.c index c0c6bcbc8c05..46d52f66aca4 100644 --- a/fs/ntfs3/attrlist.c +++ b/fs/ntfs3/attrlist.c @@ -52,7 +52,12 @@ int ntfs_load_attr_list(struct ntfs_inode *ni, struct ATTRIB *attr) if (!attr->non_res) { lsize = le32_to_cpu(attr->res.data_size); - le = kmalloc(al_aligned(lsize), GFP_NOFS); + /* Arbitrary limit for avoid accessing ZERO_SIZE_PTR. */ + if (!lsize || lsize > 1048576) { + err = -ENOMEM; + goto out; + } + le = kmalloc(al_aligned(lsize), GFP_NOFS | __GFP_NOWARN); if (!le) { err = -ENOMEM; goto out; @@ -80,7 +85,12 @@ int ntfs_load_attr_list(struct ntfs_inode *ni, struct ATTRIB *attr) if (err < 0) goto out; - le = kmalloc(al_aligned(lsize), GFP_NOFS); + /* Arbitrary limit for avoid accessing ZERO_SIZE_PTR. */ + if (!lsize || lsize > 1048576) { + err = -ENOMEM; + goto out; + } + le = kmalloc(al_aligned(lsize), GFP_NOFS | __GFP_NOWARN); if (!le) { err = -ENOMEM; goto out; -- 2.34.1
