Hi, please backport commit 4f082a753122 "fs/ntfs3: Enhance the attribute size check" to the 6.1 stable branch. Commit message: """ This combines the overflow and boundary check so that all attribute size will be properly examined while enumerating them. """ We have seen Syzkaller reports for the 6.1 stable build and this patch fixes the issue. The issue does not reproduce on any of the other stable branches. Best regards, Bjoern Report: ================================================================== loop4: detected capacity change from 0 to 65536 BUG: KASAN: use-after-free in ntfs_read_mft+0x3187/0x3210 fs/ntfs3/inode.c:163 Read of size 8 at addr ffff888023c28036 by task syz-executor.5/29379 CPU: 1 PID: 29379 Comm: syz-executor.5 Not tainted 6.1.78 #33 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x70/0x93 lib/dump_stack.c:106 print_address_description.constprop.0+0x81/0x2b0 mm/kasan/report.c:284 print_report+0x116/0x1f6 mm/kasan/report.c:395 kasan_report+0xad/0x130 mm/kasan/report.c:495 ntfs_read_mft+0x3187/0x3210 fs/ntfs3/inode.c:163 ntfs_iget5+0x1a7/0x240 fs/ntfs3/inode.c:524 ntfs_loadlog_and_replay+0x128/0x5e0 fs/ntfs3/fsntfs.c:272 ntfs_fill_super+0xb28/0x22c0 fs/ntfs3/super.c:1018 get_tree_bdev+0x40a/0x700 fs/super.c:1355 vfs_get_tree+0x86/0x2e0 fs/super.c:1562 do_new_mount+0x344/0x6b0 fs/namespace.c:3051 path_mount+0x4c4/0x17e0 fs/namespace.c:3381 do_mount fs/namespace.c:3394 [inline] __do_sys_mount fs/namespace.c:3602 [inline] __se_sys_mount fs/namespace.c:3579 [inline] __x64_sys_mount+0x287/0x310 fs/namespace.c:3579 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7fd43486377e Code: 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd4355d6ec8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007fd4355d6f60 RCX: 00007fd43486377e RDX: 000000002001f800 RSI: 0000000020000040 RDI: 00007fd4355d6f20 RBP: 000000002001f800 R08: 00007fd4355d6f60 R09: 0000000000000003 R10: 0000000000000003 R11: 0000000000000202 R12: 0000000020000040 R13: 00007fd4355d6f20 R14: 000000000001f7f9 R15: 0000000020000000 </TASK> Allocated by task 6435: kasan_save_stack+0x1c/0x40 mm/kasan/common.c:45 kasan_set_track+0x21/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x6d/0x70 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc+0x144/0x320 mm/slub.c:3422 getname_flags.part.0+0x55/0x4f0 fs/namei.c:139 getname_flags+0x9d/0xf0 include/linux/audit.h:320 vfs_fstatat+0x78/0xb0 fs/stat.c:266 vfs_stat include/linux/fs.h:3352 [inline] __do_sys_newstat+0x89/0x110 fs/stat.c:410 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce Freed by task 6435: kasan_save_stack+0x1c/0x40 mm/kasan/common.c:45 kasan_set_track+0x21/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2a/0x50 mm/kasan/generic.c:516 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x15b/0x1c0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook mm/slub.c:1750 [inline] slab_free mm/slub.c:3661 [inline] kmem_cache_free+0x123/0x4c0 mm/slub.c:3683 putname+0x12f/0x170 fs/namei.c:273 vfs_fstatat+0x9b/0xb0 fs/stat.c:268 vfs_stat include/linux/fs.h:3352 [inline] __do_sys_newstat+0x89/0x110 fs/stat.c:410 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce The buggy address belongs to the object at ffff888023c28000 which belongs to the cache names_cache of size 4096 The buggy address is located 54 bytes inside of 4096-byte region [ffff888023c28000, ffff888023c29000) The buggy address belongs to the physical page: page:0000000034b12153 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23c28 head:0000000034b12153 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) raw: 000fffffc0010200 0000000000000000 dead000000000001 ffff88800cf57a00 raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888023c27f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888023c27f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888023c28000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^ ffff888023c28080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888023c28100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Amazon Development Center Germany GmbH Krausenstr. 38 10117 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B Sitz: Berlin Ust-ID: DE 289 237 879
