ntfs: add check for mft record size in superblock

[ Upstream commit 4f8c94022f0bc3babd0a124c0a7dcdd7547bd94e ]

Number of bytes allocated for mft record should be equal to the mft record
size stored in ntfs superblock as reported by syzbot, userspace might
trigger out-of-bounds read by dereferencing ctx->attr in ntfs_attr_find()

Reported-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com
Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Tested-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com
Acked-by: Anton Altaparmakov <anton@tuxera.com>
Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e
Link: https://lkml.kernel.org/r/20200824022804.226242-1-rkovhaev@gmail.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
index 7c410f8..2aa073b 100644 (file)
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -1844,6 +1844,12 @@ int ntfs_read_inode_mount(struct inode *vi)
                brelse(bh);
        }
 
+       if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) {
+               ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.",
+                               le32_to_cpu(m->bytes_allocated), vol->mft_record_size);
+               goto err_out;
+       }
+
        /* Apply the mst fixups. */
        if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) {
                /* FIXME: Try to use the $MFTMirr now. */