From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Edward Lo <edward.lo@ambergroup.io>,
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.0 26/74] fs/ntfs3: Add null pointer check to attr_load_runs_vcn
Date: Mon, 2 Jan 2023 12:21:59 +0100 [thread overview]
Message-ID: <20230102110553.183688417@linuxfoundation.org> (raw)
In-Reply-To: <20230102110552.061937047@linuxfoundation.org>
From: Edward Lo <edward.lo@ambergroup.io>
[ Upstream commit 2681631c29739509eec59cc0b34e977bb04c6cf1 ]
Some metadata files are handled before MFT. This adds a null pointer
check for some corner cases that could lead to NPD while reading these
metadata files for a malformed NTFS image.
[ 240.190827] BUG: kernel NULL pointer dereference, address: 0000000000000158
[ 240.191583] #PF: supervisor read access in kernel mode
[ 240.191956] #PF: error_code(0x0000) - not-present page
[ 240.192391] PGD 0 P4D 0
[ 240.192897] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 240.193805] CPU: 0 PID: 242 Comm: mount Tainted: G B 5.19.0+ #17
[ 240.194477] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 240.195152] RIP: 0010:ni_find_attr+0xae/0x300
[ 240.195679] Code: c8 48 c7 45 88 c0 4e 5e 86 c7 00 f1 f1 f1 f1 c7 40 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 e2 d9f
[ 240.196642] RSP: 0018:ffff88800812f690 EFLAGS: 00000286
[ 240.197019] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff85ef037a
[ 240.197523] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff88e95f60
[ 240.197877] RBP: ffff88800812f738 R08: 0000000000000001 R09: fffffbfff11d2bed
[ 240.198292] R10: ffffffff88e95f67 R11: fffffbfff11d2bec R12: 0000000000000000
[ 240.198647] R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000
[ 240.199410] FS: 00007f233c33be40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000
[ 240.199895] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 240.200314] CR2: 0000000000000158 CR3: 0000000004d32000 CR4: 00000000000006f0
[ 240.200839] Call Trace:
[ 240.201104] <TASK>
[ 240.201502] ? ni_load_mi+0x80/0x80
[ 240.202297] ? ___slab_alloc+0x465/0x830
[ 240.202614] attr_load_runs_vcn+0x8c/0x1a0
[ 240.202886] ? __kasan_slab_alloc+0x32/0x90
[ 240.203157] ? attr_data_write_resident+0x250/0x250
[ 240.203543] mi_read+0x133/0x2c0
[ 240.203785] mi_get+0x70/0x140
[ 240.204012] ni_load_mi_ex+0xfa/0x190
[ 240.204346] ? ni_std5+0x90/0x90
[ 240.204588] ? __kasan_kmalloc+0x88/0xb0
[ 240.204859] ni_enum_attr_ex+0xf1/0x1c0
[ 240.205107] ? ni_fname_type.part.0+0xd0/0xd0
[ 240.205600] ? ntfs_load_attr_list+0xbe/0x300
[ 240.205864] ? ntfs_cmp_names_cpu+0x125/0x180
[ 240.206157] ntfs_iget5+0x56c/0x1870
[ 240.206510] ? ntfs_get_block_bmap+0x70/0x70
[ 240.206776] ? __kasan_kmalloc+0x88/0xb0
[ 240.207030] ? set_blocksize+0x95/0x150
[ 240.207545] ntfs_fill_super+0xb8f/0x1e20
[ 240.207839] ? put_ntfs+0x1d0/0x1d0
[ 240.208069] ? vsprintf+0x20/0x20
[ 240.208467] ? mutex_unlock+0x81/0xd0
[ 240.208846] ? set_blocksize+0x95/0x150
[ 240.209221] get_tree_bdev+0x232/0x370
[ 240.209804] ? put_ntfs+0x1d0/0x1d0
[ 240.210519] ntfs_fs_get_tree+0x15/0x20
[ 240.210991] vfs_get_tree+0x4c/0x130
[ 240.211455] path_mount+0x645/0xfd0
[ 240.211806] ? putname+0x80/0xa0
[ 240.212112] ? finish_automount+0x2e0/0x2e0
[ 240.212559] ? kmem_cache_free+0x110/0x390
[ 240.212906] ? putname+0x80/0xa0
[ 240.213329] do_mount+0xd6/0xf0
[ 240.213829] ? path_mount+0xfd0/0xfd0
[ 240.214246] ? __kasan_check_write+0x14/0x20
[ 240.214774] __x64_sys_mount+0xca/0x110
[ 240.215080] do_syscall_64+0x3b/0x90
[ 240.215442] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 240.215811] RIP: 0033:0x7f233b4e948a
[ 240.216104] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
[ 240.217615] RSP: 002b:00007fff02211ec8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[ 240.218718] RAX: ffffffffffffffda RBX: 0000561cdc35b060 RCX: 00007f233b4e948a
[ 240.219556] RDX: 0000561cdc35b260 RSI: 0000561cdc35b2e0 RDI: 0000561cdc363af0
[ 240.219975] RBP: 0000000000000000 R08: 0000561cdc35b280 R09: 0000000000000020
[ 240.220403] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000561cdc363af0
[ 240.220803] R13: 0000561cdc35b260 R14: 0000000000000000 R15: 00000000ffffffff
[ 240.221256] </TASK>
[ 240.221567] Modules linked in:
[ 240.222028] CR2: 0000000000000158
[ 240.223291] ---[ end trace 0000000000000000 ]---
[ 240.223669] RIP: 0010:ni_find_attr+0xae/0x300
[ 240.224058] Code: c8 48 c7 45 88 c0 4e 5e 86 c7 00 f1 f1 f1 f1 c7 40 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 e2 d9f
[ 240.225033] RSP: 0018:ffff88800812f690 EFLAGS: 00000286
[ 240.225968] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff85ef037a
[ 240.226624] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff88e95f60
[ 240.227307] RBP: ffff88800812f738 R08: 0000000000000001 R09: fffffbfff11d2bed
[ 240.227816] R10: ffffffff88e95f67 R11: fffffbfff11d2bec R12: 0000000000000000
[ 240.228330] R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000
[ 240.228729] FS: 00007f233c33be40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000
[ 240.229281] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 240.230298] CR2: 0000000000000158 CR3: 0000000004d32000 CR4: 00000000000006f0
Signed-off-by: Edward Lo <edward.lo@ambergroup.io>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/attrib.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c
index 0d354560d323..578c2bcfb1d9 100644
--- a/fs/ntfs3/attrib.c
+++ b/fs/ntfs3/attrib.c
@@ -1221,6 +1221,11 @@ int attr_load_runs_vcn(struct ntfs_inode *ni, enum ATTR_TYPE type,
CLST svcn, evcn;
u16 ro;
+ if (!ni) {
+ /* Is record corrupted? */
+ return -ENOENT;
+ }
+
attr = ni_find_attr(ni, NULL, NULL, type, name, name_len, &vcn, NULL);
if (!attr) {
/* Is record corrupted? */
--
2.35.1
next prev parent reply other threads:[~2023-01-02 11:27 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-02 11:21 [PATCH 6.0 00/74] 6.0.17-rc1 review Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 01/74] usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 02/74] blk-cgroup: fix error unwinding in blkcg_init_queue Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 03/74] blk-cgroup: remove blk_queue_root_blkg Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 04/74] blk-cgroup: remove open coded blkg_lookup instances Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 05/74] blk-cgroup: cleanup the blkg_lookup family of functions Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 06/74] blk-cgroup: pass a gendisk to blkcg_init_queue and blkcg_exit_queue Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 07/74] blk-throttle: pass a gendisk to blk_throtl_init and blk_throtl_exit Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 08/74] blk-cgroup: pass a gendisk to blkg_destroy_all Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 09/74] blk-iolatency: Fix memory leak on add_disk() failures Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 10/74] cifs: fix static checker warning Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 11/74] cifs: dont leak -ENOMEM in smb2_open_file() Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 12/74] nvme-pci: fix doorbell buffer value endianness Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 13/74] nvme-pci: fix mempool alloc size Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 14/74] nvme-pci: fix page size checks Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 15/74] ACPI: resource: Skip IRQ override on Asus Vivobook K3402ZA/K3502ZA Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 16/74] ACPI: resource: do IRQ override on LENOVO IdeaPad Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 17/74] ACPI: resource: do IRQ override on XMG Core 15 Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 18/74] ACPI: resource: do IRQ override on Lenovo 14ALC7 Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 19/74] block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 20/74] ata: ahci: Fix PCS quirk application for suspend Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 21/74] nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 22/74] nvmet: dont defer passthrough commands with trivial effects to the workqueue Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 23/74] fs/ntfs3: Validate BOOT record_size Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 24/74] fs/ntfs3: Add overflow check for attribute size Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 25/74] fs/ntfs3: Validate data run offset Greg Kroah-Hartman
2023-01-02 11:21 ` Greg Kroah-Hartman [this message]
2023-01-02 11:22 ` [PATCH 6.0 27/74] fs/ntfs3: Fix memory leak on ntfs_fill_super() error path Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 28/74] fs/ntfs3: Add null pointer check for inode operations Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 29/74] fs/ntfs3: Validate attribute name offset Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 30/74] fs/ntfs3: Validate buffer length while parsing index Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 31/74] fs/ntfs3: Validate resident attribute name Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 32/74] fs/ntfs3: Fix slab-out-of-bounds read in run_unpack Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 33/74] soundwire: dmi-quirks: add quirk variant for LAPBC710 NUC15 Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 34/74] fs/ntfs3: Validate index root when initialize NTFS security Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 35/74] fs/ntfs3: Use __GFP_NOWARN allocation at wnd_init() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 36/74] fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_fill_super() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 37/74] fs/ntfs3: Delete duplicate condition in ntfs_read_mft() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 38/74] fs/ntfs3: Fix slab-out-of-bounds in r_page Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 39/74] objtool: Fix SEGFAULT Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 40/74] iommu/mediatek: Fix crash on isr after kexec() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 41/74] powerpc/rtas: avoid device tree lookups in rtas_os_term() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 42/74] powerpc/rtas: avoid scheduling " Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 43/74] rtc: msc313: Fix function prototype mismatch in msc313_rtc_probe() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 44/74] kprobes: kretprobe events missing on 2-core KVM guest Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 45/74] HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 46/74] HID: plantronics: Additional PIDs for double volume key presses quirk Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 47/74] futex: Fix futex_waitv() hrtimer debug object leak on kcalloc error Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 48/74] rtmutex: Add acquire semantics for rtmutex lock acquisition slow path Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 49/74] mm/mempolicy: fix memory leak in set_mempolicy_home_node system call Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 50/74] pstore: Properly assign mem_type property Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 51/74] pstore/zone: Use GFP_ATOMIC to allocate zone buffer Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 52/74] hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 53/74] eventpoll: add EPOLL_URING_WAKE poll wakeup flag Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 54/74] eventfd: provide a eventfd_signal_mask() helper Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 55/74] io_uring: dont remove file from msg_ring reqs Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 56/74] binfmt: Fix error return code in load_elf_fdpic_binary() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 57/74] ovl: Use ovl mounters fsuid and fsgid in ovl_link() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 58/74] ovl: update ->f_iocb_flags when ovl_change_flags() modifies ->f_flags Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 59/74] ALSA: line6: correct midi status byte when receiving data from podxt Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 60/74] ALSA: line6: fix stack overflow in line6_midi_transmit Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 61/74] ALSA: hda/hdmi: Static PCM mapping again with AMD HDMI codecs Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 62/74] pnode: terminate at peers of source Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 63/74] mfd: mt6360: Add bounds checking in Regmap read/write call-backs Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 64/74] md: fix a crash in mempool_free Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 65/74] mm, compaction: fix fast_isolate_around() to stay within boundaries Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 66/74] f2fs: should put a page when checking the summary info Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 67/74] f2fs: allow to read node block after shutdown Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 68/74] block: Do not reread partition table on exclusively open device Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 69/74] mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 70/74] tpm: acpi: Call acpi_put_table() to fix memory leak Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 71/74] tpm: tpm_crb: Add the missed " Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 72/74] tpm: tpm_tis: " Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 73/74] SUNRPC: Dont leak netobj memory when gss_read_proxy_verf() fails Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 74/74] kcsan: Instrument memcpy/memset/memmove with newer Clang Greg Kroah-Hartman
2023-01-03 0:28 ` [PATCH 6.0 00/74] 6.0.17-rc1 review Shuah Khan
2023-01-03 1:13 ` Guenter Roeck
2023-01-03 8:33 ` Naresh Kamboju
2023-01-03 10:37 ` Sudip Mukherjee (Codethink)
2023-01-03 22:59 ` Sudip Mukherjee
2023-01-04 11:08 ` Greg Kroah-Hartman
2023-01-03 12:07 ` Bagas Sanjaya
2023-01-03 13:23 ` Allen Pais
2023-01-03 15:33 ` Jon Hunter
2023-01-03 19:02 ` Florian Fainelli
2023-01-03 22:11 ` Ron Economos
2023-01-04 1:38 ` Justin Forbes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230102110553.183688417@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=edward.lo@ambergroup.io \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox