[PATCH 6.10 06/29] fs/ntfs3: Validate ff offset

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, lei lu <llfamsec@gmail.com>,
	Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Subject: [PATCH 6.10 06/29] fs/ntfs3: Validate ff offset
Date: Thu, 25 Jul 2024 16:36:22 +0200	[thread overview]
Message-ID: <20240725142732.058337344@linuxfoundation.org> (raw)
In-Reply-To: <20240725142731.814288796@linuxfoundation.org>

6.10-stable review patch.  If anyone has any objections, please let me know.

------------------

From: lei lu <llfamsec@gmail.com>

commit 50c47879650b4c97836a0086632b3a2e300b0f06 upstream.

This adds sanity checks for ff offset. There is a check
on rt->first_free at first, but walking through by ff
without any check. If the second ff is a large offset.
We may encounter an out-of-bound read.

Signed-off-by: lei lu <llfamsec@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ntfs3/fslog.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/fs/ntfs3/fslog.c
+++ b/fs/ntfs3/fslog.c
@@ -724,7 +724,8 @@ static bool check_rstbl(const struct RES
 
 	if (!rsize || rsize > bytes ||
 	    rsize + sizeof(struct RESTART_TABLE) > bytes || bytes < ts ||
-	    le16_to_cpu(rt->total) > ne || ff > ts || lf > ts ||
+	    le16_to_cpu(rt->total) > ne ||
+			ff > ts - sizeof(__le32) || lf > ts - sizeof(__le32) ||
 	    (ff && ff < sizeof(struct RESTART_TABLE)) ||
 	    (lf && lf < sizeof(struct RESTART_TABLE))) {
 		return false;
@@ -754,6 +755,9 @@ static bool check_rstbl(const struct RES
 			return false;
 
 		off = le32_to_cpu(*(__le32 *)Add2Ptr(rt, off));
+
+		if (off > ts - sizeof(__le32))
+			return false;
 	}
 
 	return true;

next prev parent reply	other threads:[~2024-07-25 14:39 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-07-25 14:36 [PATCH 6.10 00/29] 6.10.2-rc1 review Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 01/29] drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 02/29] s390/mm: Fix VM_FAULT_HWPOISON handling in do_exception() Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 03/29] ocfs2: add bounds checking to ocfs2_check_dir_entry() Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 04/29] jfs: dont walk off the end of ealist Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 05/29] fs/ntfs3: Add a check for attr_names and oatbl Greg Kroah-Hartman
2024-07-25 14:36 ` Greg Kroah-Hartman [this message]
2024-07-25 14:36 ` [PATCH 6.10 07/29] usb: gadget: midi2: Fix incorrect default MIDI2 protocol setup Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 08/29] ALSA: hda/tas2781: Add new quirk for Lenovo Hera2 Laptop Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 09/29] ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 10/29] ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 11/29] arm64: dts: qcom: sc7180: Disable SuperSpeed instances in park mode Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 12/29] arm64: dts: qcom: sc7280: " Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 13/29] arm64: dts: qcom: x1e80100-qcp: Fix USB PHYs regulators Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 14/29] arm64: dts: qcom: qrb2210-rb1: switch I2C2 to i2c-gpio Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 15/29] arm64: dts: qcom: qrb4210-rb2: " Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 16/29] arm64: dts: qcom: x1e80100-crd: Fix the PHY regulator for PCIe 6a Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 17/29] arm64: dts: qcom: x1e80100-qcp: " Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 18/29] arm64: dts: qcom: x1e80100-crd: Fix USB PHYs regulators Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 19/29] arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 20/29] arm64: dts: qcom: sm6350: " Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 21/29] arm64: dts: qcom: msm8998: " Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 22/29] arm64: dts: qcom: ipq6018: " Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 23/29] arm64: dts: qcom: sdm630: " Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 24/29] arm64: dts: qcom: ipq8074: " Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 25/29] arm64: dts: qcom: sdm845: " Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 26/29] arm64: dts: qcom: sm6115: " Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 27/29] ALSA: pcm_dmaengine: Dont synchronize DMA channel when DMA is paused Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 28/29] ALSA: seq: ump: Skip useless ports for static blocks Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 6.10 29/29] filelock: Fix fcntl/close race recovery compat path Greg Kroah-Hartman
2024-07-25 23:23 ` [PATCH 6.10 00/29] 6.10.2-rc1 review SeongJae Park
2024-07-26  0:35 ` Justin Forbes
2024-07-26  8:46 ` Ron Economos
2024-07-26 11:27 ` Mark Brown
2024-07-26 12:47 ` Rudi Heitbaum
2024-07-26 16:28 ` Shuah Khan
2024-07-26 17:18 ` Jon Hunter
2024-07-26 17:48 ` Naresh Kamboju
2024-07-26 18:29 ` Markus Reichelt
2024-07-26 20:37 ` Florian Fainelli
2024-07-26 21:27 ` Christian Heusel
2024-07-27  1:05 ` Peter Schneider

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240725142732.058337344@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=almaz.alexandrovich@paragon-software.com \
    --cc=llfamsec@gmail.com \
    --cc=patches@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.