All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andrew Hamilton <adhamilt@gmail.com>
To: grub-devel@gnu.org
Cc: daniel.kiper@oracle.com, phcoder@gmail.com,
	development@efficientek.com, Andrew Hamilton <adhamilt@gmail.com>
Subject: [PATCH v3 1/5] fs/ntfs: Correct regression with run list calculation
Date: Wed, 21 May 2025 22:20:37 -0500	[thread overview]
Message-ID: <20250522032041.32043-2-adhamilt@gmail.com> (raw)
In-Reply-To: <20250522032041.32043-1-adhamilt@gmail.com>

Correct ntfs_test test failures around attempting to validate attribute
run list values. The calculation was incorrect for the 'curr' variable.
With previous calculation, some file systems would fail validation
despite being well-formed and valid. This was caused by incrementing
'curr' by min_size which included both the (already accounted for)
min_size as well as the size of the run list. Correct by making a new
variable 'run_size' to denote the current run list size to increment
both 'curr' and 'min_size' separately.

Fixes: 067b6d225 (fs/ntfs: Implement attribute verification)

Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
---
 grub-core/fs/ntfs.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
index b3117bf92..27d9bb11c 100644
--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
@@ -83,6 +83,7 @@ validate_attribute (grub_uint8_t *attr, void *end)
 {
   grub_size_t attr_size = 0;
   grub_size_t min_size = 0;
+  grub_size_t run_size = 0;
   grub_size_t spare = (grub_uint8_t *) end - attr;
   /*
    * Just used as a temporary variable to try and deal with cases where someone
@@ -172,11 +173,15 @@ validate_attribute (grub_uint8_t *attr, void *end)
 	   * to the number of bytes used to store the total length of the
 	   * data run, and the number of bytes used to store the offset.
 	   * These directly follow the header byte, so we use them to update
-	   * the minimum size.
+	   * the minimum size. Increment by one more than run size to move on
+	   * to the next run size header byte. An example is a run size field
+	   * value of 0x32, 3 + 2 = 5 bytes follow the run size. Increment
+	   * by 5 to get to the end of this data run then one more to get to
+	   * the start of the next run size byte.
 	   */
-	  min_size += (attr[curr] & 0x7) + ((attr[curr] >> 4) & 0x7);
-	  curr += min_size;
-	  min_size++;
+	  run_size = (attr[curr] & 0x7) + ((attr[curr] >> 4) & 0x7);
+	  curr += (run_size + 1);
+	  min_size += (run_size + 1);
 	  if (min_size > attr_size)
 	    goto fail;
 	}
-- 
2.39.5


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

  reply	other threads:[~2025-05-22  3:21 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-22  3:20 [PATCH v3 0/5] fs: Test failure fixes and fuzzer fixes Andrew Hamilton
2025-05-22  3:20 ` Andrew Hamilton [this message]
2025-05-22  3:20 ` [PATCH v3 2/5] fs/ntfs: Correct attribute vs attribute list validation Andrew Hamilton
2025-05-22  3:20 ` [PATCH v3 3/5] fs/ntfs: Correct possible access violations Andrew Hamilton
2025-05-22  3:20 ` [PATCH v3 4/5] fs/ntfs: Correct possible infinite loops / hangs Andrew Hamilton
2025-05-22  3:20 ` [PATCH v3 5/5] fs/fshelp: Avoid possible NULL pointer deference Andrew Hamilton
2025-05-22  8:35 ` [PATCH v3 0/5] fs: Test failure fixes and fuzzer fixes Daniel Kiper via Grub-devel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250522032041.32043-2-adhamilt@gmail.com \
    --to=adhamilt@gmail.com \
    --cc=daniel.kiper@oracle.com \
    --cc=development@efficientek.com \
    --cc=grub-devel@gnu.org \
    --cc=phcoder@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.