* [PATCH] NTFS: Add name sanity check to ntfs_attr_find
@ 2020-11-02 9:06 Fox Chen
0 siblings, 0 replies; only message in thread
From: Fox Chen @ 2020-11-02 9:06 UTC (permalink / raw)
To: anton
Cc: Fox Chen, linux-ntfs-dev, linux-kernel, gregkh,
syzbot+ecbcf37464c627253e44
When mounting, if Attribute data is correupted, doing named attribute
lookup can lead to invalid memory access. This is reported by syzkaller.
This patch adds a sanity check prior to attribute name lookup. If attribute's
name_offset is invalid, It will mark volume error and return -EIO.
Reported-by: syzbot+ecbcf37464c627253e44@syzkaller.appspotmail.com
Signed-off-by: Fox Chen <foxhlchen@gmail.com>
---
fs/ntfs/attrib.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c
index d563abc3e136..e7366f74ff62 100644
--- a/fs/ntfs/attrib.c
+++ b/fs/ntfs/attrib.c
@@ -607,6 +607,16 @@ static int ntfs_attr_find(const ATTR_TYPE type, const ntfschar *name,
* If @name is present, compare the two names. If @name is
* missing, assume we want an unnamed attribute.
*/
+
+ /*
+ * Sanity check, a->name_offset should be within the range of a->lengh,
+ */
+ if (name && ((u8*)a + le16_to_cpu(a->name_offset)) > ((u8*)a + le32_to_cpu(a->length))) {
+ ntfs_error(vol->sb, "Invalid Attribute Name. Inode is corrupt. Run chkdsk.");
+ NVolSetErrors(vol);
+ return -EIO;
+ }
+
if (!name) {
/* The search failed if the found attribute is named. */
if (a->name_length)
--
2.25.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-11-02 9:07 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-11-02 9:06 [PATCH] NTFS: Add name sanity check to ntfs_attr_find Fox Chen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).