projects
/
platform
/
kernel
/
linux-amlogic.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
1532860
)
ntfs: add check for mft record size in superblock
author
Rustam Kovhaev
<rkovhaev@gmail.com>
Tue, 13 Oct 2020 23:48:17 +0000
(16:48 -0700)
committer
Greg Kroah-Hartman
<gregkh@linuxfoundation.org>
Thu, 29 Oct 2020 08:05:43 +0000
(09:05 +0100)
[ Upstream commit
4f8c94022f0bc3babd0a124c0a7dcdd7547bd94e
]
Number of bytes allocated for mft record should be equal to the mft record
size stored in ntfs superblock as reported by syzbot, userspace might
trigger out-of-bounds read by dereferencing ctx->attr in ntfs_attr_find()
Reported-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com
Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Tested-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com
Acked-by: Anton Altaparmakov <anton@tuxera.com>
Link:
https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e
Link:
https://lkml.kernel.org/r/20200824022804.226242-1-rkovhaev@gmail.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
fs/ntfs/inode.c
patch
|
blob
|
history
diff --git
a/fs/ntfs/inode.c
b/fs/ntfs/inode.c
index
7c410f8
..
2aa073b
100644
(file)
--- a/
fs/ntfs/inode.c
+++ b/
fs/ntfs/inode.c
@@
-1844,6
+1844,12
@@
int ntfs_read_inode_mount(struct inode *vi)
brelse(bh);
}
+ if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) {
+ ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.",
+ le32_to_cpu(m->bytes_allocated), vol->mft_record_size);
+ goto err_out;
+ }
+
/* Apply the mst fixups. */
if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) {
/* FIXME: Try to use the $MFTMirr now. */