From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: edward lo <edward.lo@ambergroup.io>,
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>,
Sasha Levin <sashal@kernel.org>,
ntfs3@lists.linux.dev
Subject: [PATCH AUTOSEL 5.15 01/22] fs/ntfs3: Validate BOOT record_size
Date: Tue, 27 Dec 2022 15:34:11 -0500 [thread overview]
Message-ID: <20221227203433.1214255-1-sashal@kernel.org> (raw)
From: edward lo <edward.lo@ambergroup.io>
[ Upstream commit 0b66046266690454dc04e6307bcff4a5605b42a1 ]
When the NTFS BOOT record_size field < 0, it represents a
shift value. However, there is no sanity check on the shift result
and the sbi->record_bits calculation through blksize_bits() assumes
the size always > 256, which could lead to NPD while mounting a
malformed NTFS image.
[ 318.675159] BUG: kernel NULL pointer dereference, address: 0000000000000158
[ 318.675682] #PF: supervisor read access in kernel mode
[ 318.675869] #PF: error_code(0x0000) - not-present page
[ 318.676246] PGD 0 P4D 0
[ 318.676502] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 318.676934] CPU: 0 PID: 259 Comm: mount Not tainted 5.19.0 #5
[ 318.677289] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 318.678136] RIP: 0010:ni_find_attr+0x2d/0x1c0
[ 318.678656] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180
[ 318.679848] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246
[ 318.680104] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080
[ 318.680790] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 318.681679] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 318.682577] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080
[ 318.683015] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000
[ 318.683618] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000
[ 318.684280] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 318.684651] CR2: 0000000000000158 CR3: 0000000002e1a000 CR4: 00000000000006f0
[ 318.685623] Call Trace:
[ 318.686607] <TASK>
[ 318.686872] ? ntfs_alloc_inode+0x1a/0x60
[ 318.687235] attr_load_runs_vcn+0x2b/0xa0
[ 318.687468] mi_read+0xbb/0x250
[ 318.687576] ntfs_iget5+0x114/0xd90
[ 318.687750] ntfs_fill_super+0x588/0x11b0
[ 318.687953] ? put_ntfs+0x130/0x130
[ 318.688065] ? snprintf+0x49/0x70
[ 318.688164] ? put_ntfs+0x130/0x130
[ 318.688256] get_tree_bdev+0x16a/0x260
[ 318.688407] vfs_get_tree+0x20/0xb0
[ 318.688519] path_mount+0x2dc/0x9b0
[ 318.688877] do_mount+0x74/0x90
[ 318.689142] __x64_sys_mount+0x89/0xd0
[ 318.689636] do_syscall_64+0x3b/0x90
[ 318.689998] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 318.690318] RIP: 0033:0x7fd9e133c48a
[ 318.690687] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
[ 318.691357] RSP: 002b:00007ffd374406c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[ 318.691632] RAX: ffffffffffffffda RBX: 0000564d0b051080 RCX: 00007fd9e133c48a
[ 318.691920] RDX: 0000564d0b051280 RSI: 0000564d0b051300 RDI: 0000564d0b0596a0
[ 318.692123] RBP: 0000000000000000 R08: 0000564d0b0512a0 R09: 0000000000000020
[ 318.692349] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564d0b0596a0
[ 318.692673] R13: 0000564d0b051280 R14: 0000000000000000 R15: 00000000ffffffff
[ 318.693007] </TASK>
[ 318.693271] Modules linked in:
[ 318.693614] CR2: 0000000000000158
[ 318.694446] ---[ end trace 0000000000000000 ]---
[ 318.694779] RIP: 0010:ni_find_attr+0x2d/0x1c0
[ 318.694952] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180
[ 318.696042] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246
[ 318.696531] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080
[ 318.698114] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 318.699286] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 318.699795] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080
[ 318.700236] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000
[ 318.700973] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000
[ 318.701688] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 318.702190] CR2: 0000000000000158 CR3: 0000000002e1a000 CR4: 00000000000006f0
[ 318.726510] mount (259) used greatest stack depth: 13320 bytes left
This patch adds a sanity check.
Signed-off-by: edward lo <edward.lo@ambergroup.io>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index f3b88c7e35f7..4b8fa5299e26 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -789,7 +789,7 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size,
: (u32)boot->record_size
<< sbi->cluster_bits;
- if (record_size > MAXIMUM_BYTES_PER_MFT)
+ if (record_size > MAXIMUM_BYTES_PER_MFT || record_size < SECTOR_SIZE)
goto out;
sbi->record_bits = blksize_bits(record_size);
--
2.35.1
next reply other threads:[~2022-12-27 20:39 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-27 20:34 Sasha Levin [this message]
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 02/22] fs/ntfs3: Add overflow check for attribute size Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 03/22] fs/ntfs3: Validate data run offset Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 04/22] fs/ntfs3: Add null pointer check to attr_load_runs_vcn Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 05/22] fs/ntfs3: Fix memory leak on ntfs_fill_super() error path Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 06/22] fs/ntfs3: Add null pointer check for inode operations Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 07/22] fs/ntfs3: Validate attribute name offset Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 08/22] fs/ntfs3: Validate buffer length while parsing index Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 09/22] fs/ntfs3: Validate resident attribute name Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 10/22] fs/ntfs3: Fix slab-out-of-bounds read in run_unpack Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 11/22] soundwire: dmi-quirks: add quirk variant for LAPBC710 NUC15 Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 12/22] fs/ntfs3: Validate index root when initialize NTFS security Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 13/22] fs/ntfs3: Use __GFP_NOWARN allocation at wnd_init() Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 14/22] fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_fill_super() Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 15/22] fs/ntfs3: Delete duplicate condition in ntfs_read_mft() Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 16/22] fs/ntfs3: Fix slab-out-of-bounds in r_page Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 17/22] objtool: Fix SEGFAULT Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 18/22] powerpc/rtas: avoid device tree lookups in rtas_os_term() Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 19/22] powerpc/rtas: avoid scheduling " Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 20/22] powerpc/msi: Fix deassociation of MSI descriptors Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 21/22] HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint Sasha Levin
2022-12-27 20:34 ` [PATCH AUTOSEL 5.15 22/22] HID: plantronics: Additional PIDs for double volume key presses quirk Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221227203433.1214255-1-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=edward.lo@ambergroup.io \
--cc=linux-kernel@vger.kernel.org \
--cc=ntfs3@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox