mi_enum_attr() has insufficient check on attr->res.data_size

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I've attached a corrupt ntfs image that causes fs/ntfs3 to write past
the end of a buffer.

The start of the problem is that mi_enum_attr() uses this to check that
the data_size in an ATTRIB is OK:

                t16 = le16_to_cpu(attr->res.data_off);
                if (t16 + le32_to_cpu(attr->res.data_size) > asize)
                        return NULL;

If attr->res.data_size is huge, e.g. 0xfffffff0, then the sum can wrap
so that it is less than asize. This means that mi_enum_attr() can accept
a huge data_size.

That in turn means that indx_get_root()'s check that root->ihdr.used
is less than a->res.data_size can allow root->ihdr.used to be huge:

        /* length check */
        if (root &&
            offsetof(struct INDEX_ROOT, ihdr) + le32_to_cpu(root->ihdr.used) >
                    le32_to_cpu(a->res.data_size)) {
                return NULL;
        }

A huge hdr->used can allow hdr_insert_de() to pass a large byte-count
to memmove(), causing it to write past the end of the allocated block
containing before:

        u32 used = le32_to_cpu(hdr->used);
        ...;
        memmove(Add2Ptr(before, de_size), before, used - off);

That's what the attached image provokes; the hdr->used in question is
3032, which is larger than the 1024-byte sbi->record_size.

# uname -a
Linux ubuntu66 6.7.0-11091-g296455ade1fd #5 SMP PREEMPT_DYNAMIC Fri Jan 19 15:38:07 EST 2024 x86_64 x86_64 x86_64 GNU/Linux
# gunzip -c < ntfs22c.img.gz > ntfs22c.img
# while :
do
  mount -t ntfs3 -o loop,rw ntfs22c.img /mnt
  touch /mnt/x /mnt/y
  rm /mnt/[xy]
  umount /mnt
done
=============================================================================
BUG kmalloc-1k (Tainted: G        W         ): Left Redzone overwritten
-----------------------------------------------------------------------------

0xffff888121d79800-0xffff888121d7982f @offset=6144. First byte 0x5a instead of 0xcc
Allocated in mi_init+0x7c/0x110 age=32936 cpu=7 pid=1359
Freed in qlist_free_all+0x56/0x170 age=48398 cpu=10 pid=1249
Slab 0xffffea0004875e00 objects=10 used=9 fp=0xffff888121d7c000 flags=0x20000000
0000a40(workingset|slab|head|node=0|zone=2)
Object 0xffff888121d79c00 @offset=7168 fp=0xffff888121d7a800

Robert Morris
rtm@xxxxxxxxxxxxx

Attachment: ntfs22c.img.gz
Description: Binary data

[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux