From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, lei lu <llfamsec@gmail.com>,
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Subject: [PATCH 6.6 04/16] fs/ntfs3: Add a check for attr_names and oatbl
Date: Thu, 25 Jul 2024 16:37:17 +0200 [thread overview]
Message-ID: <20240725142729.072539182@linuxfoundation.org> (raw)
In-Reply-To: <20240725142728.905379352@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
commit 702d4930eb06dcfda85a2fa67e8a1a27bfa2a845 upstream.
Added out-of-bound checking for *ane (ATTR_NAME_ENTRY).
Reported-by: lei lu <llfamsec@gmail.com>
Fixes: 865e7a7700d93 ("fs/ntfs3: Reduce stack usage")
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/fslog.c | 38 ++++++++++++++++++++++++++++++++------
1 file changed, 32 insertions(+), 6 deletions(-)
--- a/fs/ntfs3/fslog.c
+++ b/fs/ntfs3/fslog.c
@@ -3722,6 +3722,8 @@ int log_replay(struct ntfs_inode *ni, bo
u64 rec_lsn, checkpt_lsn = 0, rlsn = 0;
struct ATTR_NAME_ENTRY *attr_names = NULL;
+ u32 attr_names_bytes = 0;
+ u32 oatbl_bytes = 0;
struct RESTART_TABLE *dptbl = NULL;
struct RESTART_TABLE *trtbl = NULL;
const struct RESTART_TABLE *rt;
@@ -3736,6 +3738,7 @@ int log_replay(struct ntfs_inode *ni, bo
struct NTFS_RESTART *rst = NULL;
struct lcb *lcb = NULL;
struct OPEN_ATTR_ENRTY *oe;
+ struct ATTR_NAME_ENTRY *ane;
struct TRANSACTION_ENTRY *tr;
struct DIR_PAGE_ENTRY *dp;
u32 i, bytes_per_attr_entry;
@@ -4314,17 +4317,40 @@ check_attr_table:
lcb = NULL;
check_attribute_names2:
- if (rst->attr_names_len && oatbl) {
- struct ATTR_NAME_ENTRY *ane = attr_names;
- while (ane->off) {
+ if (attr_names && oatbl) {
+ off = 0;
+ for (;;) {
+ /* Check we can use attribute name entry 'ane'. */
+ static_assert(sizeof(*ane) == 4);
+ if (off + sizeof(*ane) > attr_names_bytes) {
+ /* just ignore the rest. */
+ break;
+ }
+
+ ane = Add2Ptr(attr_names, off);
+ t16 = le16_to_cpu(ane->off);
+ if (!t16) {
+ /* this is the only valid exit. */
+ break;
+ }
+
+ /* Check we can use open attribute entry 'oe'. */
+ if (t16 + sizeof(*oe) > oatbl_bytes) {
+ /* just ignore the rest. */
+ break;
+ }
+
/* TODO: Clear table on exit! */
- oe = Add2Ptr(oatbl, le16_to_cpu(ane->off));
+ oe = Add2Ptr(oatbl, t16);
t16 = le16_to_cpu(ane->name_bytes);
+ off += t16 + sizeof(*ane);
+ if (off > attr_names_bytes) {
+ /* just ignore the rest. */
+ break;
+ }
oe->name_len = t16 / sizeof(short);
oe->ptr = ane->name;
oe->is_attr_name = 2;
- ane = Add2Ptr(ane,
- sizeof(struct ATTR_NAME_ENTRY) + t16);
}
}
next prev parent reply other threads:[~2024-07-25 14:45 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-25 14:37 [PATCH 6.6 00/16] 6.6.43-rc1 review Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.6 01/16] drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.6 02/16] ocfs2: add bounds checking to ocfs2_check_dir_entry() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.6 03/16] jfs: dont walk off the end of ealist Greg Kroah-Hartman
2024-07-25 14:37 ` Greg Kroah-Hartman [this message]
2024-07-25 14:37 ` [PATCH 6.6 05/16] fs/ntfs3: Validate ff offset Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.6 06/16] usb: gadget: midi2: Fix incorrect default MIDI2 protocol setup Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.6 07/16] ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.6 08/16] ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.6 09/16] arm64: dts: qcom: qrb4210-rb2: switch I2C2 to i2c-gpio Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.6 10/16] arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.6 11/16] arm64: dts: qcom: sm6350: " Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.6 12/16] arm64: dts: qcom: ipq6018: " Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.6 13/16] arm64: dts: qcom: sdm630: " Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.6 14/16] ALSA: pcm_dmaengine: Dont synchronize DMA channel when DMA is paused Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.6 15/16] ALSA: seq: ump: Skip useless ports for static blocks Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.6 16/16] filelock: Fix fcntl/close race recovery compat path Greg Kroah-Hartman
2024-07-25 20:04 ` [PATCH 6.6 00/16] 6.6.43-rc1 review Peter Schneider
2024-07-25 23:21 ` SeongJae Park
2024-07-26 5:24 ` Harshit Mogalapalli
2024-07-26 8:59 ` Ron Economos
2024-07-26 11:39 ` Mark Brown
2024-07-26 12:32 ` Takeshi Ogasawara
2024-07-26 16:32 ` Shuah Khan
2024-07-26 17:14 ` Jon Hunter
2024-07-26 17:41 ` Naresh Kamboju
2024-07-26 18:22 ` Florian Fainelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240725142729.072539182@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=llfamsec@gmail.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.