Patch "fs/ntfs3: Fix OOB read in indx_insert_into_buffer" has been added to the 5.15-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    fs/ntfs3: Fix OOB read in indx_insert_into_buffer

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     fs-ntfs3-fix-oob-read-in-indx_insert_into_buffer.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 64ef6431c2e42fd9824d9a276cc8033c99e814ed
Author: ZhangPeng <zhangpeng362@xxxxxxxxxx>
Date:   Wed Dec 7 09:46:10 2022 +0000

    fs/ntfs3: Fix OOB read in indx_insert_into_buffer
    
    [ Upstream commit b8c44949044e5f7f864525fdffe8e95135ce9ce5 ]
    
    Syzbot reported a OOB read bug:
    
    BUG: KASAN: slab-out-of-bounds in indx_insert_into_buffer+0xaa3/0x13b0
    fs/ntfs3/index.c:1755
    Read of size 17168 at addr ffff8880255e06c0 by task syz-executor308/3630
    
    Call Trace:
     <TASK>
     memmove+0x25/0x60 mm/kasan/shadow.c:54
     indx_insert_into_buffer+0xaa3/0x13b0 fs/ntfs3/index.c:1755
     indx_insert_entry+0x446/0x6b0 fs/ntfs3/index.c:1863
     ntfs_create_inode+0x1d3f/0x35c0 fs/ntfs3/inode.c:1548
     ntfs_create+0x3e/0x60 fs/ntfs3/namei.c:100
     lookup_open fs/namei.c:3413 [inline]
    
    If the member struct INDEX_BUFFER *index of struct indx_node is
    incorrect, that is, the value of __le32 used is greater than the value
    of __le32 total in struct INDEX_HDR. Therefore, OOB read occurs when
    memmove is called in indx_insert_into_buffer().
    Fix this by adding a check in hdr_find_e().
    
    Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
    Reported-by: syzbot+d882d57193079e379309@xxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: ZhangPeng <zhangpeng362@xxxxxxxxxx>
    Signed-off-by: Konstantin Komarov <almaz.alexandrovich@xxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
index 99f8a57e9f7a9..37688cf6e3d05 100644
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -679,9 +679,13 @@ static struct NTFS_DE *hdr_find_e(const struct ntfs_index *indx,
 	u32 e_size, e_key_len;
 	u32 end = le32_to_cpu(hdr->used);
 	u32 off = le32_to_cpu(hdr->de_off);
+	u32 total = le32_to_cpu(hdr->total);
 	u16 offs[128];
 
 fill_table:
+	if (end > total)
+		return NULL;
+
 	if (off + sizeof(struct NTFS_DE) > end)
 		return NULL;
 



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux