From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CFE5A5A79B for ; Wed, 15 May 2024 12:40:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=140.211.166.137 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715776838; cv=none; b=fSm9bGHBlKAgHXAHJr5hSgOnclBx0HBFJRyi5Asr4ctbS4FG/yTbnf5QSqZ/KZ1Kf4rObisgI3pkXXgh2hwReDHl3e0y97E/kk9XbjuzE5JYDbv1f258b43vBhZH3DEIWNxC/HKTUmHahFyPcVOmeM4/Y5+Y+9BYnMp4fxhm6T4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715776838; c=relaxed/simple; bh=CBeVeudKaMa64Hk0EQo8xz/HGk7N1bFC2eJIinxtmbg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UNdHdAbhClG+9ulB9FOEOVWb7PVz7r/nDo3VB5vGYq1XBkXzCJmHGnZUjPVBYtuYBRJhRF4o/OUfD0gYDjzggljt/efW3dhZ7AHhnurBV8pv6z6ATbpt40dwq1PXy5DMJ45N4C+CIh6KhJcAxwR9J1Qof3kJsK7X8tJh/7/8Qi8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kcDE7s8P; arc=none smtp.client-ip=140.211.166.137 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kcDE7s8P" Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 3D577402AB for ; Wed, 15 May 2024 12:40:37 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id DUooMlMMZwnw for ; Wed, 15 May 2024 12:40:36 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::22f; helo=mail-oi1-x22f.google.com; envelope-from=andrewjballance@gmail.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org A342140102 Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=none dis=none) header.from=gmail.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org A342140102 Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key, unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=kcDE7s8P Received: from mail-oi1-x22f.google.com (mail-oi1-x22f.google.com [IPv6:2607:f8b0:4864:20::22f]) by smtp4.osuosl.org (Postfix) with ESMTPS id A342140102 for ; Wed, 15 May 2024 12:40:35 +0000 (UTC) Received: by mail-oi1-x22f.google.com with SMTP id 5614622812f47-3c9b94951cfso686692b6e.3 for ; Wed, 15 May 2024 05:40:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715776834; x=1716381634; darn=lists.linuxfoundation.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WRzWc3KEc5QqTvXb/3YsxeGC6cz6347lvqioXf2gZ70=; b=kcDE7s8Pymy9eE+R7rFlOZPxe6Hwt3pwQ0AC0xlSvi5/wcOwRKfRwDk6AcFVuxmh4J B9BExhPxxmktFFswEKjgSq07C4LQHFQWbKIC4O0Fm2K3Af6DMDY6J+txH687PcF0nXsJ b1XL70IcOkIs5UF7rSI+AegfmgtxmF+jdRwa1ahLKed1nbWpAW1g54awkrrzW1nBT9Sn t5ZB+wpK1SyfPl84+UiLNVa9yNF2fW4dyGcTjSy+KZuGDKrGZpvxPIMzhd1/ucEIlnL3 h3pzak9o7PBUUAVUR+Yia9XVCnxFCqpxPsg92O8p/8GKlqXQBDqxg9kN9i52G67yvDid rvbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715776834; x=1716381634; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WRzWc3KEc5QqTvXb/3YsxeGC6cz6347lvqioXf2gZ70=; b=M5ts5YhuSmpCjdQizB635S7RHFa+vLUFBvxyqEA1vGz3S+bLV2GffpAlwUnLFZPYxX dIhFHAVbXb2OzfPHJYzVOde3w8kSPcrisrkpwSSmdSvtDR5hnhWHU7yzDYj8+nmKXtKn myO4kLsrGks367pdp12DCC5O39hKYq+MFMLaJWnbTWrp4y/cwZU1LneCGLuA7eqVqbm6 e+6mCmMa16iAs3Xwcnb6OI0Ct2DSzpdkmJDCmue7qvtiHdNbXM3rkNMIJ+7GG+yp+aHf GtgoKfjKZSH8JBA8FAtFSdJRRLEg40qQqoZiy4qjrb9JKTgdGpGjQjLMFtn9r+c5Q380 ++DQ== X-Forwarded-Encrypted: i=1; AJvYcCUXNkBdFhYnHNY7DnLveJ0ImRxWQG/K+i8S8hkVyYpUez2SZ80h5krBkco86A/OQkhkdDkq6tYApIoWDwVrW81PCrRvWhb1qJ2MB7bfwByWIYqNHKdDQScyFBld/XTa X-Gm-Message-State: AOJu0YzMUUWp+Ui/qLf5Z+ahUgK1CbgLaofWDCPBvQ72g7vrA05OSGVG +KofCGGzKnesRDUfJpSwJjo+yNH4nbB12qbbwjOxGQchqFDlrXWP X-Google-Smtp-Source: AGHT+IHCjGtL6PmYiYtUJfANxegVmFHGwjkB08YLirqldBcqADqviq7g4qu1BpAhmj2E7DyUT5ltJw== X-Received: by 2002:a05:6870:364e:b0:22a:b358:268 with SMTP id 586e51a60fabf-24172aa925fmr19183260fac.25.1715776834525; Wed, 15 May 2024 05:40:34 -0700 (PDT) Received: from my-computer.lan (c-98-39-64-40.hsd1.tx.comcast.net. [98.39.64.40]) by smtp.googlemail.com with ESMTPSA id 586e51a60fabf-2412a3d1fa7sm3014855fac.8.2024.05.15.05.40.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 May 2024 05:40:34 -0700 (PDT) From: Andrew Ballance To: syzbot+39b2fb0f2638669008ec@syzkaller.appspotmail.com Cc: almaz.alexandrovich@paragon-software.com, linux-kernel@vger.kernel.org, ntfs3@lists.linux.dev, syzkaller-bugs@googlegroups.com, skhan@linuxfoundation.org, linux-kernel-mentees@lists.linuxfoundation.org, Andrew Ballance Subject: [PATCH] ntfs3: check if more than chunk-size bytes are written Date: Wed, 15 May 2024 07:38:33 -0500 Message-ID: <20240515123946.874688-1-andrewjballance@gmail.com> X-Mailer: git-send-email 2.45.0 In-Reply-To: <00000000000077d29606186c5e99@google.com> References: <00000000000077d29606186c5e99@google.com> Precedence: bulk X-Mailing-List: linux-kernel-mentees@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit #syz test a incorrectly formatted chunk may decompress into more than LZNT_CHUNK_SIZE bytes and a index out of bounds will occur in s_max_off. Signed-off-by: Andrew Ballance --- fs/ntfs3/lznt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ntfs3/lznt.c b/fs/ntfs3/lznt.c index 4aae598d6d88..fdc9b2ebf341 100644 --- a/fs/ntfs3/lznt.c +++ b/fs/ntfs3/lznt.c @@ -236,6 +236,9 @@ static inline ssize_t decompress_chunk(u8 *unc, u8 *unc_end, const u8 *cmpr, /* Do decompression until pointers are inside range. */ while (up < unc_end && cmpr < cmpr_end) { + // return err if more than LZNT_CHUNK_SIZE bytes are written + if (up - unc > LZNT_CHUNK_SIZE) + return -EINVAL; /* Correct index */ while (unc + s_max_off[index] < up) index += 1; -- 2.45.0