Forwarded: [PATCH] ntfs3: fix array-index-out-of-bounds in decompress_lznt

[syzbot <syzbot+39b2fb0f2638669008ec@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ntfs3: fix array-index-out-of-bounds in decompress_lznt
Author: tristmd@gmail.com

From: Tristan Madani <tristan@talencesecurity.com>

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


The index correction loop in decompress_chunk() increments the index
variable without checking against the s_max_off[] array size:

    while (unc + s_max_off[index] < up)
        index += 1;

When a crafted NTFS image causes the decompressed output pointer (up) to
advance beyond unc + s_max_off[8] (0x1000), the loop reads s_max_off[9]
which is past the end of the 9-element array, triggering UBSAN:

  UBSAN: array-index-out-of-bounds in fs/ntfs3/lznt.c:243:16
  index 9 is out of range for type 'const size_t[9]'

Commit 9931122d04c6 ("fs/ntfs3: Check if more than chunk-size bytes are
written") partially addressed this by adding a check for up - unc >
LZNT_CHUNK_SIZE before the loop.  However, this relies on the implicit
invariant that LZNT_CHUNK_SIZE equals s_max_off[ARRAY_SIZE(s_max_off)-1],
and the check uses strict greater-than which still allows index to reach
the boundary value in edge cases with concurrent modifications to the
unc_end bound.

Add a direct bounds check on index within the while loop condition to
make the code robust regardless of the relationship between
LZNT_CHUNK_SIZE and s_max_off[] values.  If index reaches the maximum,
break out of the correction loop -- the entry at s_max_off[8] (0x1000)
already covers the full chunk range.

Found by syzbot.

Reported-by: syzbot+39b2fb0f2638669008ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=39b2fb0f2638669008ec
Fixes: 522e010b5837 ("fs/ntfs3: Add compression")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/ntfs3/lznt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ntfs3/lznt.c b/fs/ntfs3/lznt.c
index XXXXXXX..XXXXXXX 100644
--- a/fs/ntfs3/lznt.c
+++ b/fs/ntfs3/lznt.c
@@ -240,7 +240,7 @@ static inline ssize_t decompress_chunk(u8 *unc, u8 *unc_end, const u8 *cmpr,
 		if (up - unc > LZNT_CHUNK_SIZE)
 			return -EINVAL;
 		/* Correct index */
-		while (unc + s_max_off[index] < up)
+		while (index < ARRAY_SIZE(s_max_off) - 1 && unc + s_max_off[index] < up)
 			index += 1;

 		/* Check the current flag for zero. */
--
2.39.5