Hello Konstantin Komarov,
The patch be71b5cba2e6: "fs/ntfs3: Add attrib operations" from Aug
13, 2021 (linux-next), leads to the following Smatch static checker
warning:
fs/ntfs3/xattr.c:393 ntfs_set_ea()
warn: integer overflows
fs/ntfs3/xattr.c
301 static noinline int ntfs_set_ea(struct inode *inode, const char *name,
302 size_t name_len, const void *value,
303 size_t val_size, int flags, bool locked,
304 __le16 *ea_size)
305 {
306 struct ntfs_inode *ni = ntfs_i(inode);
307 struct ntfs_sb_info *sbi = ni->mi.sbi;
308 int err;
309 struct EA_INFO ea_info;
310 const struct EA_INFO *info;
311 struct EA_FULL *new_ea;
312 struct EA_FULL *ea_all = NULL;
313 size_t add, new_pack;
314 u32 off, size, ea_sz;
315 __le16 size_pack;
316 struct ATTRIB *attr;
317 struct ATTR_LIST_ENTRY *le;
318 struct mft_inode *mi;
319 struct runs_tree ea_run;
320 u64 new_sz;
321 void *p;
322
323 if (!locked)
324 ni_lock(ni);
325
326 run_init(&ea_run);
327
328 if (name_len > 255) {
329 err = -ENAMETOOLONG;
330 goto out;
331 }
332
333 add = ALIGN(struct_size(ea_all, name, 1 + name_len + val_size), 4);
It's bad to mix struct_size() with any sort of math. Going into it, can
this overflow "1 + name_len + val_size"? And then struct_size() returns
ULONG_MAX if there is an overflow. When you pass that to ALIGN() it
becomes zero.
334
335 err = ntfs_read_ea(ni, &ea_all, add, &info);
336 if (err)
337 goto out;
regards,
dan carpenter
