From: Dan Carpenter <dan.carpenter@oracle.com>
To: Hawkins Jiawei <yin31149@gmail.com>
Cc: syzbot+5f8dcabe4a3b2c51c607@syzkaller.appspotmail.com,
Anton Altaparmakov <anton@tuxera.com>,
akpm@linux-foundation.org, chenxiaosong2@huawei.com,
linux-kernel@vger.kernel.org,
linux-ntfs-dev@lists.sourceforge.net,
syzkaller-bugs@googlegroups.com, 18801353760@163.com
Subject: Re: [PATCH 3/3] ntfs: check overflow when iterates ATTR_RECORDs
Date: Wed, 31 Aug 2022 13:12:53 +0300 [thread overview]
Message-ID: <20220831101253.GY2030@kadam> (raw)
In-Reply-To: <7b8b8633d921665a717734d011a92f713944d0fb.1661875711.git.yin31149@gmail.com>
On Wed, Aug 31, 2022 at 10:48:54AM +0800, Hawkins Jiawei wrote:
> Kernel will iterates over ATTR_RECORDs in mft record in ntfs_attr_find().
> Because the ATTR_RECORDs are next to each other, kernel can get the next
> ATTR_RECORD from end address of current ATTR_RECORD, through current
> ATTR_RECORD length field.
>
> The problem is that during iteration, when kernel calculates the end address
> of current ATTR_RECORD, kernel may trigger an overflow bug in
> executing `a = (ATTR_RECORD*)((u8*)a + le32_to_cpu(a->length))`. This
> may wrap, leading to a forever iteration on 32bit systems.
>
> This patch solves it by adding an overflow checking on calculating end address
> of current ATTR_RECORD during iteration.
>
> Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
> Link: https://lore.kernel.org/all/20220827105842.GM2030@kadam/
> Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
> ---
> fs/ntfs/attrib.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c
> index 904734e34507..55e618c9e63e 100644
> --- a/fs/ntfs/attrib.c
> +++ b/fs/ntfs/attrib.c
> @@ -617,6 +617,9 @@ static int ntfs_attr_find(const ATTR_TYPE type, const ntfschar *name,
> return -ENOENT;
> if (unlikely(!a->length))
> break;
> + /* check for wrap around */
> + if ((u8 *)a + le32_to_cpu(a->length) < (u8 *)a)
> + break;
Wouldn't it also be good to check that a + a->length <= mrec_end?
It gets checked on the next iteration sure, but it just seems like a
reasonable thing to check here.
regards,
dan carpenter
> if (a->type != type)
> continue;
> /*
> --
> 2.25.1
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/7b8b8633d921665a717734d011a92f713944d0fb.1661875711.git.yin31149%40gmail.com.
next prev parent reply other threads:[~2022-08-31 10:13 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-31 2:43 [PATCH 0/3] ntfs: fix bugs about Attribute Hawkins Jiawei
2022-08-31 2:43 ` [PATCH 1/3] ntfs: fix use-after-free in ntfs_attr_find() Hawkins Jiawei
2022-08-31 2:43 ` [PATCH 2/3] ntfs: fix out-of-bounds read " Hawkins Jiawei
2022-08-31 11:07 ` Dan Carpenter
2022-08-31 12:03 ` Hawkins Jiawei
2022-08-31 12:20 ` Dan Carpenter
2022-08-31 12:47 ` Hawkins Jiawei
2022-08-31 2:48 ` [PATCH 3/3] ntfs: check overflow when iterates ATTR_RECORDs Hawkins Jiawei
2022-08-31 10:12 ` Dan Carpenter [this message]
2022-08-31 11:47 ` Hawkins Jiawei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220831101253.GY2030@kadam \
--to=dan.carpenter@oracle.com \
--cc=18801353760@163.com \
--cc=akpm@linux-foundation.org \
--cc=anton@tuxera.com \
--cc=chenxiaosong2@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-ntfs-dev@lists.sourceforge.net \
--cc=syzbot+5f8dcabe4a3b2c51c607@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yin31149@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.