This is a note to let you know that I've just added the patch titled
fs/ntfs3: Fix OOB read in ntfs_init_from_boot
to the 6.5-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
fs-ntfs3-fix-oob-read-in-ntfs_init_from_boot.patch
and it can be found in the queue-6.5 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 34e6552a442f268eefd408e47f4f2d471aa64829 Mon Sep 17 00:00:00 2001
From: Pavel Skripkin <paskripkin@xxxxxxxxx>
Date: Thu, 13 Jul 2023 22:41:46 +0300
Subject: fs/ntfs3: Fix OOB read in ntfs_init_from_boot
From: Pavel Skripkin <paskripkin@xxxxxxxxx>
commit 34e6552a442f268eefd408e47f4f2d471aa64829 upstream.
Syzbot was able to create a device which has the last sector of size
512.
After failing to boot from initial sector, reading from boot info from
offset 511 causes OOB read.
To prevent such reports add sanity check to validate if size of buffer_head
if big enough to hold ntfs3 bootinfo
Fixes: 6a4cd3ea7d77 ("fs/ntfs3: Alternative boot if primary boot is corrupted")
Reported-by: syzbot+53ce40c8c0322c06aea5@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/ntfs3/super.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -855,6 +855,11 @@ static int ntfs_init_from_boot(struct su
check_boot:
err = -EINVAL;
+
+ /* Corrupted image; do not read OOB */
+ if (bh->b_size - sizeof(*boot) < boot_off)
+ goto out;
+
boot = (struct NTFS_BOOT *)Add2Ptr(bh->b_data, boot_off);
if (memcmp(boot->system_id, "NTFS ", sizeof("NTFS ") - 1)) {
Patches currently in stable-queue which might be from paskripkin@xxxxxxxxx are
queue-6.5/fs-ntfs3-fix-oob-read-in-ntfs_init_from_boot.patch
