syzbot was reporting too large allocation at ntfs_load_attr_list(), for
a crafted filesystem can have huge data_size.
It turned out that commit 366bfcc2898f ("fs/ntfs3: Use __GFP_NOWARN
allocation at ntfs_load_attr_list()") was not sufficient, for
kmalloc(al_aligned(lsize)) allows writing lsize bytes at ZERO_SIZE_PTR
if -1023 <= (ssize_t) lsize <= 0. But since nobody knows the valid range,
let's try limiting to 0 < lsize <= 1048576 range.
Reported-by: syzbot <syzbot+89dbb3a789a5b9711793@xxxxxxxxxxxxxxxxxxxxxxxxx>
Closes: https://syzkaller.appspot.com/bug?extid=89dbb3a789a5b9711793
Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations")
Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
---
fs/ntfs3/attrlist.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/ntfs3/attrlist.c b/fs/ntfs3/attrlist.c
index 42631b31adf1..a4b2a7f4cd7b 100644
--- a/fs/ntfs3/attrlist.c
+++ b/fs/ntfs3/attrlist.c
@@ -52,6 +52,11 @@ int ntfs_load_attr_list(struct ntfs_inode *ni, struct ATTRIB *attr)
if (!attr->non_res) {
lsize = le32_to_cpu(attr->res.data_size);
+ /* Arbitrary limit for avoid accessing ZERO_SIZE_PTR. */
+ if (!lsize || lsize > 1048576) {
+ err = -ENOMEM;
+ goto out;
+ }
le = kmalloc(al_aligned(lsize), GFP_NOFS | __GFP_NOWARN);
if (!le) {
err = -ENOMEM;
@@ -80,6 +85,11 @@ int ntfs_load_attr_list(struct ntfs_inode *ni, struct ATTRIB *attr)
if (err < 0)
goto out;
+ /* Arbitrary limit for avoid accessing ZERO_SIZE_PTR. */
+ if (!lsize || lsize > 1048576) {
+ err = -ENOMEM;
+ goto out;
+ }
le = kmalloc(al_aligned(lsize), GFP_NOFS | __GFP_NOWARN);
if (!le) {
err = -ENOMEM;
--
2.18.4
