read_log_page() in fs/ntfs3/fslog.c allocates log->page_size bytes:
to_free = kmalloc(log->page_size, GFP_NOFS);
but then passes a length of PAGE_SIZE to ntfs_fix_post_read():
if (page_buf->rhdr.sign != NTFS_FFFF_SIGNATURE)
ntfs_fix_post_read(&page_buf->rhdr, PAGE_SIZE, false);
The attached corrupt file system image causes log->page_size to be
2048, so ntfs_fix_post_read() reads and writes off the end of the buffer.
# uname -a
Linux ubuntu66 6.7.0-11091-g296455ade1fd #5 SMP PREEMPT_DYNAMIC Fri Jan 19 15:38:07 EST 2024 x86_64 x86_64 x86_64 GNU/Linux
# gunzip ntfs33a.img.gz
# mount -t ntfs3 -o loop,ro ntfs33a.img /mnt
[11954.012988] ==================================================================
[11954.013361] BUG: KASAN: slab-out-of-bounds in ntfs_fix_post_read+0x1e7/0x210
[11954.013711] Read of size 2 at addr ffff8881199541fe by task mount/13238
[11954.014052] CPU: 5 PID: 13238 Comm: mount Not tainted 6.7.0-11091-g296455ade1fd #5
[11954.014416] Hardware name: FreeBSD BHYVE/BHYVE, BIOS 13.0 11/10/2020
[11954.014707] Call Trace:
[11954.014790] <TASK>
[11954.014855] dump_stack_lvl+0x37/0x50
[11954.015033] print_report+0xcc/0x610
[11954.015182] ? __virt_addr_valid+0x1ce/0x2a0
[11954.015369] ? ntfs_fix_post_read+0x1e7/0x210
[11954.015554] kasan_report+0xb0/0xe0
[11954.015692] ? ntfs_fix_post_read+0x1e7/0x210
[11954.015880] ntfs_fix_post_read+0x1e7/0x210
[11954.016058] read_log_page+0x1b0/0x510
[11954.016213] log_replay+0x4445/0xd490
[11954.016360] ? __pfx_wake_up_bit+0x10/0x10
[11954.016534] ? __pfx_log_replay+0x10/0x10
[11954.016697] ? mi_read+0x120/0x520
[11954.016833] ? ntfs_iget5+0x1e21/0x3290
[11954.016988] ? unlock_new_inode+0x79/0xc0
[11954.017153] ? __pfx_ntfs_iget5+0x10/0x10
[11954.017321] ntfs_loadlog_and_replay+0x3fe/0x530
[11954.017522] ? __pfx_ntfs_loadlog_and_replay+0x10/0x10
[11954.017748] ? __kasan_record_aux_stack+0xbe/0xe0
[11954.017953] ? __call_rcu_common.constprop.0+0x49b/0xab0
[11954.018190] ? __destroy_inode+0x32/0x250
[11954.018354] ntfs_fill_super+0x1c5f/0x3d70
[11954.018521] ? __pfx_ntfs_fill_super+0x10/0x10
[11954.018712] ? __pfx_snprintf+0x10/0x10
[11954.018868] ? _raw_spin_lock+0x80/0xe0
[11954.019025] ? __pfx__raw_spin_lock+0x10/0x10
[11954.019211] ? bdev_open_by_dev+0x7f4/0xc30
[11954.019392] ? sb_set_blocksize+0x3d/0xe0
[11954.019555] ? setup_bdev_super+0x2e9/0x630
[11954.019733] get_tree_bdev+0x2e5/0x530
[11954.019885] ? __pfx_ntfs_fill_super+0x10/0x10
[11954.020075] ? __pfx_get_tree_bdev+0x10/0x10
[11954.020256] ? vfs_parse_fs_string+0xd6/0x130
[11954.020444] ? __pfx_vfs_parse_fs_string+0x10/0x10
[11954.020651] vfs_get_tree+0x83/0x320
[11954.020795] path_mount+0x4e0/0x1bf0
[11954.020940] ? __pfx_path_mount+0x10/0x10
[11954.021102] ? __kasan_slab_free+0x119/0x1d0
[11954.021287] ? user_path_at_empty+0x44/0x60
[11954.021464] ? kmem_cache_free+0x96/0x320
[11954.021629] __x64_sys_mount+0x1fd/0x270
[11954.021789] ? __pfx___x64_sys_mount+0x10/0x10
[11954.021986] ? getname_flags.part.0+0xb4/0x450
[11954.022185] do_syscall_64+0x56/0x120
[11954.022337] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[11954.022571] RIP: 0033:0x7f0067d31b0e
[11954.022718] Code: 48 8b 0d 25 23 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f2 22 0f 00 f7 d8 64 89 01 48
[11954.023717] RSP: 002b:00007ffe04b81a88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[11954.024091] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0067d31b0e
[11954.024436] RDX: 000055f9b627c370 RSI: 000055f9b627c980 RDI: 000055f9b6281cc0
[11954.024781] RBP: 000055f9b627c750 R08: 0000000000000000 R09: 0000000000000001
[11954.025145] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[11954.025490] R13: 000055f9b627c370 R14: 000055f9b6281cc0 R15: 000055f9b627c750
[11954.025832] </TASK>
[11954.025932] Allocated by task 13238:
[11954.026076] kasan_save_stack+0x24/0x50
[11954.026080] kasan_save_track+0x14/0x30
[11954.026083] __kasan_kmalloc+0x7f/0x90
[11954.026086] __kmalloc+0x179/0x370
[11954.026089] read_log_page+0x2ee/0x510
[11954.026092] log_replay+0x4445/0xd490
[11954.026094] ntfs_loadlog_and_replay+0x3fe/0x530
[11954.026096] ntfs_fill_super+0x1c5f/0x3d70
[11954.026098] get_tree_bdev+0x2e5/0x530
[11954.026101] vfs_get_tree+0x83/0x320
[11954.026104] path_mount+0x4e0/0x1bf0
[11954.026106] __x64_sys_mount+0x1fd/0x270
[11954.026108] do_syscall_64+0x56/0x120
[11954.026110] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[11954.026145] The buggy address belongs to the object at ffff888119953800
which belongs to the cache kmalloc-2k of size 2048
[11954.026716] The buggy address is located 510 bytes to the right of
allocated 2048-byte region [ffff888119953800, ffff888119954000)
[11954.027359] The buggy address belongs to the physical page:
[11954.027617] page:ffffea0004665400 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888119955000 pfn:0x119950
[11954.027621] head:ffffea0004665400 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[11954.027624] flags: 0x200000000000a40(workingset|slab|head|node=0|zone=2)
[11954.027629] page_type: 0xffffffff()
[11954.027632] raw: 0200000000000a40 ffff888100043240 ffffea00042be410 ffff888100040c50
[11954.027635] raw: ffff888119955000 0000000000050003 00000001ffffffff 0000000000000000
[11954.027637] page dumped because: kasan: bad access detected
[11954.027670] Memory state around the buggy address:
[11954.027885] ffff888119954080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11954.028243] ffff888119954100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11954.028593] >ffff888119954180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11954.028943] ^
[11954.029287] ffff888119954200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11954.029631] ffff888119954280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11954.029979] ==================================================================
[11954.030365] Disabling lock debugging due to kernel taint
Robert Morris
rtm@xxxxxxxxxxxxx
Attachment:
ntfs33a.img.gz
Description: Binary data
