From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Edward Lo <edward.lo@ambergroup.io>,
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.0 34/74] fs/ntfs3: Validate index root when initialize NTFS security
Date: Mon, 2 Jan 2023 12:22:07 +0100 [thread overview]
Message-ID: <20230102110553.532125588@linuxfoundation.org> (raw)
In-Reply-To: <20230102110552.061937047@linuxfoundation.org>
From: Edward Lo <edward.lo@ambergroup.io>
[ Upstream commit bfcdbae0523bd95eb75a739ffb6221a37109881e ]
This enhances the sanity check for $SDH and $SII while initializing NTFS
security, guarantees these index root are legit.
[ 162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320
[ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243
[ 162.460851]
[ 162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42
[ 162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 162.462609] Call Trace:
[ 162.462954] <TASK>
[ 162.463276] dump_stack_lvl+0x49/0x63
[ 162.463822] print_report.cold+0xf5/0x689
[ 162.464608] ? unwind_get_return_address+0x3a/0x60
[ 162.465766] ? hdr_find_e.isra.0+0x10c/0x320
[ 162.466975] kasan_report+0xa7/0x130
[ 162.467506] ? _raw_spin_lock_irq+0xc0/0xf0
[ 162.467998] ? hdr_find_e.isra.0+0x10c/0x320
[ 162.468536] __asan_load2+0x68/0x90
[ 162.468923] hdr_find_e.isra.0+0x10c/0x320
[ 162.469282] ? cmp_uints+0xe0/0xe0
[ 162.469557] ? cmp_sdh+0x90/0x90
[ 162.469864] ? ni_find_attr+0x214/0x300
[ 162.470217] ? ni_load_mi+0x80/0x80
[ 162.470479] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 162.470931] ? ntfs_bread_run+0x190/0x190
[ 162.471307] ? indx_get_root+0xe4/0x190
[ 162.471556] ? indx_get_root+0x140/0x190
[ 162.471833] ? indx_init+0x1e0/0x1e0
[ 162.472069] ? fnd_clear+0x115/0x140
[ 162.472363] ? _raw_spin_lock_irqsave+0x100/0x100
[ 162.472731] indx_find+0x184/0x470
[ 162.473461] ? sysvec_apic_timer_interrupt+0x57/0xc0
[ 162.474429] ? indx_find_buffer+0x2d0/0x2d0
[ 162.474704] ? do_syscall_64+0x3b/0x90
[ 162.474962] dir_search_u+0x196/0x2f0
[ 162.475381] ? ntfs_nls_to_utf16+0x450/0x450
[ 162.475661] ? ntfs_security_init+0x3d6/0x440
[ 162.475906] ? is_sd_valid+0x180/0x180
[ 162.476191] ntfs_extend_init+0x13f/0x2c0
[ 162.476496] ? ntfs_fix_post_read+0x130/0x130
[ 162.476861] ? iput.part.0+0x286/0x320
[ 162.477325] ntfs_fill_super+0x11e0/0x1b50
[ 162.477709] ? put_ntfs+0x1d0/0x1d0
[ 162.477970] ? vsprintf+0x20/0x20
[ 162.478258] ? set_blocksize+0x95/0x150
[ 162.478538] get_tree_bdev+0x232/0x370
[ 162.478789] ? put_ntfs+0x1d0/0x1d0
[ 162.479038] ntfs_fs_get_tree+0x15/0x20
[ 162.479374] vfs_get_tree+0x4c/0x130
[ 162.479729] path_mount+0x654/0xfe0
[ 162.480124] ? putname+0x80/0xa0
[ 162.480484] ? finish_automount+0x2e0/0x2e0
[ 162.480894] ? putname+0x80/0xa0
[ 162.481467] ? kmem_cache_free+0x1c4/0x440
[ 162.482280] ? putname+0x80/0xa0
[ 162.482714] do_mount+0xd6/0xf0
[ 162.483264] ? path_mount+0xfe0/0xfe0
[ 162.484782] ? __kasan_check_write+0x14/0x20
[ 162.485593] __x64_sys_mount+0xca/0x110
[ 162.486024] do_syscall_64+0x3b/0x90
[ 162.486543] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 162.487141] RIP: 0033:0x7f9d374e948a
[ 162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
[ 162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[ 162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a
[ 162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0
[ 162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020
[ 162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0
[ 162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff
[ 162.493644] </TASK>
[ 162.493908]
[ 162.494214] The buggy address belongs to the physical page:
[ 162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc
[ 162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)
[ 162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000
[ 162.498928] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000
[ 162.500542] page dumped because: kasan: bad access detected
[ 162.501057]
[ 162.501242] Memory state around the buggy address:
[ 162.502230] ffff8880037bc980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 162.502977] ffff8880037bca00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 162.503522] >ffff8880037bca80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 162.503963] ^
[ 162.504370] ffff8880037bcb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 162.504766] ffff8880037bcb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Signed-off-by: Edward Lo <edward.lo@ambergroup.io>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/fsntfs.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c
index 4ed15f64b17f..b6e22bcb929b 100644
--- a/fs/ntfs3/fsntfs.c
+++ b/fs/ntfs3/fsntfs.c
@@ -1849,9 +1849,10 @@ int ntfs_security_init(struct ntfs_sb_info *sbi)
goto out;
}
- root_sdh = resident_data(attr);
+ root_sdh = resident_data_ex(attr, sizeof(struct INDEX_ROOT));
if (root_sdh->type != ATTR_ZERO ||
- root_sdh->rule != NTFS_COLLATION_TYPE_SECURITY_HASH) {
+ root_sdh->rule != NTFS_COLLATION_TYPE_SECURITY_HASH ||
+ offsetof(struct INDEX_ROOT, ihdr) + root_sdh->ihdr.used > attr->res.data_size) {
err = -EINVAL;
goto out;
}
@@ -1867,9 +1868,10 @@ int ntfs_security_init(struct ntfs_sb_info *sbi)
goto out;
}
- root_sii = resident_data(attr);
+ root_sii = resident_data_ex(attr, sizeof(struct INDEX_ROOT));
if (root_sii->type != ATTR_ZERO ||
- root_sii->rule != NTFS_COLLATION_TYPE_UINT) {
+ root_sii->rule != NTFS_COLLATION_TYPE_UINT ||
+ offsetof(struct INDEX_ROOT, ihdr) + root_sii->ihdr.used > attr->res.data_size) {
err = -EINVAL;
goto out;
}
--
2.35.1
next prev parent reply other threads:[~2023-01-02 11:28 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-02 11:21 [PATCH 6.0 00/74] 6.0.17-rc1 review Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 01/74] usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 02/74] blk-cgroup: fix error unwinding in blkcg_init_queue Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 03/74] blk-cgroup: remove blk_queue_root_blkg Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 04/74] blk-cgroup: remove open coded blkg_lookup instances Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 05/74] blk-cgroup: cleanup the blkg_lookup family of functions Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 06/74] blk-cgroup: pass a gendisk to blkcg_init_queue and blkcg_exit_queue Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 07/74] blk-throttle: pass a gendisk to blk_throtl_init and blk_throtl_exit Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 08/74] blk-cgroup: pass a gendisk to blkg_destroy_all Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 09/74] blk-iolatency: Fix memory leak on add_disk() failures Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 10/74] cifs: fix static checker warning Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 11/74] cifs: dont leak -ENOMEM in smb2_open_file() Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 12/74] nvme-pci: fix doorbell buffer value endianness Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 13/74] nvme-pci: fix mempool alloc size Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 14/74] nvme-pci: fix page size checks Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 15/74] ACPI: resource: Skip IRQ override on Asus Vivobook K3402ZA/K3502ZA Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 16/74] ACPI: resource: do IRQ override on LENOVO IdeaPad Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 17/74] ACPI: resource: do IRQ override on XMG Core 15 Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 18/74] ACPI: resource: do IRQ override on Lenovo 14ALC7 Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 19/74] block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 20/74] ata: ahci: Fix PCS quirk application for suspend Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 21/74] nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 22/74] nvmet: dont defer passthrough commands with trivial effects to the workqueue Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 23/74] fs/ntfs3: Validate BOOT record_size Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 24/74] fs/ntfs3: Add overflow check for attribute size Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 25/74] fs/ntfs3: Validate data run offset Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 26/74] fs/ntfs3: Add null pointer check to attr_load_runs_vcn Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 27/74] fs/ntfs3: Fix memory leak on ntfs_fill_super() error path Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 28/74] fs/ntfs3: Add null pointer check for inode operations Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 29/74] fs/ntfs3: Validate attribute name offset Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 30/74] fs/ntfs3: Validate buffer length while parsing index Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 31/74] fs/ntfs3: Validate resident attribute name Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 32/74] fs/ntfs3: Fix slab-out-of-bounds read in run_unpack Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 33/74] soundwire: dmi-quirks: add quirk variant for LAPBC710 NUC15 Greg Kroah-Hartman
2023-01-02 11:22 ` Greg Kroah-Hartman [this message]
2023-01-02 11:22 ` [PATCH 6.0 35/74] fs/ntfs3: Use __GFP_NOWARN allocation at wnd_init() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 36/74] fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_fill_super() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 37/74] fs/ntfs3: Delete duplicate condition in ntfs_read_mft() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 38/74] fs/ntfs3: Fix slab-out-of-bounds in r_page Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 39/74] objtool: Fix SEGFAULT Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 40/74] iommu/mediatek: Fix crash on isr after kexec() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 41/74] powerpc/rtas: avoid device tree lookups in rtas_os_term() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 42/74] powerpc/rtas: avoid scheduling " Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 43/74] rtc: msc313: Fix function prototype mismatch in msc313_rtc_probe() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 44/74] kprobes: kretprobe events missing on 2-core KVM guest Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 45/74] HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 46/74] HID: plantronics: Additional PIDs for double volume key presses quirk Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 47/74] futex: Fix futex_waitv() hrtimer debug object leak on kcalloc error Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 48/74] rtmutex: Add acquire semantics for rtmutex lock acquisition slow path Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 49/74] mm/mempolicy: fix memory leak in set_mempolicy_home_node system call Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 50/74] pstore: Properly assign mem_type property Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 51/74] pstore/zone: Use GFP_ATOMIC to allocate zone buffer Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 52/74] hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 53/74] eventpoll: add EPOLL_URING_WAKE poll wakeup flag Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 54/74] eventfd: provide a eventfd_signal_mask() helper Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 55/74] io_uring: dont remove file from msg_ring reqs Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 56/74] binfmt: Fix error return code in load_elf_fdpic_binary() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 57/74] ovl: Use ovl mounters fsuid and fsgid in ovl_link() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 58/74] ovl: update ->f_iocb_flags when ovl_change_flags() modifies ->f_flags Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 59/74] ALSA: line6: correct midi status byte when receiving data from podxt Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 60/74] ALSA: line6: fix stack overflow in line6_midi_transmit Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 61/74] ALSA: hda/hdmi: Static PCM mapping again with AMD HDMI codecs Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 62/74] pnode: terminate at peers of source Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 63/74] mfd: mt6360: Add bounds checking in Regmap read/write call-backs Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 64/74] md: fix a crash in mempool_free Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 65/74] mm, compaction: fix fast_isolate_around() to stay within boundaries Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 66/74] f2fs: should put a page when checking the summary info Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 67/74] f2fs: allow to read node block after shutdown Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 68/74] block: Do not reread partition table on exclusively open device Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 69/74] mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 70/74] tpm: acpi: Call acpi_put_table() to fix memory leak Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 71/74] tpm: tpm_crb: Add the missed " Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 72/74] tpm: tpm_tis: " Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 73/74] SUNRPC: Dont leak netobj memory when gss_read_proxy_verf() fails Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 74/74] kcsan: Instrument memcpy/memset/memmove with newer Clang Greg Kroah-Hartman
2023-01-03 0:28 ` [PATCH 6.0 00/74] 6.0.17-rc1 review Shuah Khan
2023-01-03 1:13 ` Guenter Roeck
2023-01-03 8:33 ` Naresh Kamboju
2023-01-03 10:37 ` Sudip Mukherjee (Codethink)
2023-01-03 22:59 ` Sudip Mukherjee
2023-01-04 11:08 ` Greg Kroah-Hartman
2023-01-03 12:07 ` Bagas Sanjaya
2023-01-03 13:23 ` Allen Pais
2023-01-03 15:33 ` Jon Hunter
2023-01-03 19:02 ` Florian Fainelli
2023-01-03 22:11 ` Ron Economos
2023-01-04 1:38 ` Justin Forbes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230102110553.532125588@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=edward.lo@ambergroup.io \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox