Backport commit fc4992458e0a ("fs/ntfs3: Add null pointer checks")

["Doebel, Bjoern" <doebel@xxxxxxxxx>]

Hi,

please backport commit fc4992458e0a ("fs/ntfs3: Add null pointer checks") to the 5.15 and 6.1 stable branches.

Commit message

"""
Added null pointer checks in function ntfs_security_init.
Also added le32_to_cpu in functions ntfs_security_init and indx_read.
"""

We are able to reproduce below Syzkaller report on these two stable builds. The issue does not reproduce on upstream, older, or newer LTS releases. Above patch fixes the issue.

Best regards,
Bjoern


general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 11283 Comm: syz-executor.7 Not tainted 6.1.74 #31
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
RIP: 0010:ntfs_security_init+0x561/0xac0 fs/ntfs3/fsntfs.c:1865
Code: 03 ff 41 83 fe 1f 0f 86 f8 03 00 00 e8 b8 5b 03 ff 4c 01 e3 e8 b0 5b 03 ff 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 ca
RSP: 0018:ffffc90012417a60 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90007b0c000
RDX: 0000000000000000 RSI: ffffffff827961c0 RDI: 0000000000000005
RBP: ffff888024503000 R08: 0000000000000005 R09: 000000000000001f
R10: 0000000000000000 R11: 00000000a5aa35ff R12: ffff888020543230
R13: ffff8880182f05d0 R14: 0000000000000000 R15: 00000000000000c8
FS:  00007f6bb914d6c0(0000) GS:ffff88805ab00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7ab932ff80 CR3: 00000000553ee001 CR4: 0000000000772ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
loop6: detected capacity change from 0 to 4096
ntfs3: Unknown parameter 'iE9�ND\���X8+dԧ�*��'
 ntfs_fill_super+0x1faf/0x22c0 fs/ntfs3/super.c:1238
 get_tree_bdev+0x40a/0x700 fs/super.c:1355
 vfs_get_tree+0x86/0x2e0 fs/super.c:1562
 do_new_mount+0x2d5/0x630 fs/namespace.c:3040
 path_mount+0x4c4/0x17e0 fs/namespace.c:3370
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __x64_sys_mount+0x287/0x310 fs/namespace.c:3568
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x64/0xce
RIP: 0033:0x7f6bb846377e
Code: 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6bb914cec8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f6bb914cf60 RCX: 00007f6bb846377e
RDX: 000000002001f6c0 RSI: 000000002001f700 RDI: 00007f6bb914cf20
RBP: 000000002001f6c0 R08: 00007f6bb914cf60 R09: 00000000000000c0
R10: 00000000000000c0 R11: 0000000000000202 R12: 000000002001f700
R13: 00007f6bb914cf20 R14: 000000000001f6f9 R15: 0000000020000080
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ntfs_security_init+0x561/0xac0 fs/ntfs3/fsntfs.c:1865
Code: 03 ff 41 83 fe 1f 0f 86 f8 03 00 00 e8 b8 5b 03 ff 4c 01 e3 e8 b0 5b 03 ff 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 ca
RSP: 0018:ffffc90012417a60 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90007b0c000
RDX: 0000000000000000 RSI: ffffffff827961c0 RDI: 0000000000000005
RBP: ffff888024503000 R08: 0000000000000005 R09: 000000000000001f
R10: 0000000000000000 R11: 00000000a5aa35ff R12: ffff888020543230
R13: ffff8880182f05d0 R14: 0000000000000000 R15: 00000000000000c8
FS:  00007f6bb914d6c0(0000) GS:ffff88805ab00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7ab932ff80 CR3: 00000000553ee001 CR4: 0000000000772ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess):
   0:    03 ff                    add    %edi,%edi
   2:    41 83 fe 1f              cmp    $0x1f,%r14d
   6:    0f 86 f8 03 00 00        jbe    0x404
   c:    e8 b8 5b 03 ff           call   0xff035bc9
  11:    4c 01 e3                 add    %r12,%rbx
  14:    e8 b0 5b 03 ff           call   0xff035bc9
  19:    48 89 da                 mov    %rbx,%rdx
  1c:    48 b8 00 00 00 00 00     movabs $0xdffffc0000000000,%rax
  23:    fc ff df
  26:    48 c1 ea 03              shr    $0x3,%rdx
* 2a:    0f b6 14 02              movzbl (%rdx,%rax,1),%edx <-- trapping instruction
  2e:    48 89 d8                 mov    %rbx,%rax
  31:    83 e0 07                 and    $0x7,%eax
  34:    83 c0 03                 add    $0x3,%eax
  37:    38 d0                    cmp    %dl,%al
  39:    7c 08                    jl     0x43
  3b:    84 d2                    test   %dl,%dl
  3d:    0f                       .byte 0xf
  3e:    85 ca                    test   %ecx,%edx



Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879