[PATCH v5] fs/ntfs3: Validate parameter bytes and valid size

public inbox for ntfs3@lists.linux.dev
 help / color / mirror / Atom feed

From: eadavis@sina.com
To: eadavis@sina.com
Cc: almaz.alexandrovich@paragon-software.com,
	dan.carpenter@oracle.com, kbuild-all@lists.01.org,
	linux-kernel@vger.kernel.org, lkp@intel.com,
	llvm@lists.linux.dev, nathan@kernel.org, ndesaulniers@google.com,
	ntfs3@lists.linux.dev,
	syzbot+c4d950787fd5553287b7@syzkaller.appspotmail.com,
	syzkaller-bugs@googlegroups.com, trix@redhat.com,
	eadaivs <eadaivs@sina.com>
Subject: [PATCH v5] fs/ntfs3: Validate parameter bytes and valid size
Date: Sun, 13 Nov 2022 13:07:53 +0800	[thread overview]
Message-ID: <20221113050753.270164-1-eadavis@sina.com> (raw)
In-Reply-To: <20220919133202.308766-1-eadavis@sina.com>

From: eadaivs <eadaivs@sina.com>

Syzbot reports a slab out of bounds read in ntfs_get_ea,
According to splat, the final problem is in the function find_ea,

1) If parameter "bytes" less than the structure EA_ FULL Pointer Object Size,
then the unpacked_ea_size() is an out of bounds read.

2) The *off + unpacked_ea_size() can have an integer overflow.

Change the type of the parameter bytes to size_t,
add sanity check for ensuring that the parameter bytes within reason.
And instead of calculating the offset, use the function size add.

Link: https://syzkaller.appspot.com/bug?extid=c4d950787fd5553287b7
Reported-and-tested-by: syzbot+c4d950787fd5553287b7@syzkaller.appspotmail.com
Fixes: (be71b5cba2e6) fs/ntfs3: Add attrib operations
Signed-off-by: eadaivs <eadaivs@sina.com>
---
Changes in v5:
  Refactor the code and pass syzbot test.

 fs/ntfs3/xattr.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
index afd0ddad826f..188a76c28233 100644
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -41,17 +41,23 @@ static inline size_t packed_ea_size(const struct EA_FULL *ea)
  *
  * Assume there is at least one xattr in the list.
  */
-static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
+static inline bool find_ea(const struct EA_FULL *ea_all, size_t bytes,
 			   const char *name, u8 name_len, u32 *off)
 {
+	const struct EA_FULL *eb;
+	u32 next_off;
 	*off = 0;
 
-	if (!ea_all || !bytes)
+	if (!ea_all || bytes < sizeof(*eb))
 		return false;
 
 	for (;;) {
 		const struct EA_FULL *ea = Add2Ptr(ea_all, *off);
-		u32 next_off = *off + unpacked_ea_size(ea);
+
+		if (sizeof(*ea) + *off > bytes)
+			return false;
+
+		next_off = size_add(*off, unpacked_ea_size(ea));
 
 		if (next_off > bytes)
 			return false;
@@ -61,8 +67,6 @@ static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
 			return true;
 
 		*off = next_off;
-		if (next_off >= bytes)
-			return false;
 	}
 }
 
-- 
2.37.2

next prev parent reply	other threads:[~2022-11-13  5:08 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-06 16:55 [syzbot] KASAN: slab-out-of-bounds Read in ntfs_get_ea syzbot
2022-09-12  3:41 ` [PATCH] fs/netfs3: add a boundary check for EA_FULL eadavis
2022-09-12  6:16   ` kernel test robot
2022-09-12  6:16   ` kernel test robot
2022-09-19  5:19     ` [PATCH] fs/ntfs3: "add a boundary check for EA_FULL" lose right parenthesis eadavis
2022-09-19 10:42       ` Dan Carpenter
2022-09-19 11:19         ` [PATCH v3] fs/ntfs3: add a boundary check for EA_FULL eadavis
2022-09-19 12:04           ` Dan Carpenter
2022-09-19 13:21             ` [PATCH v4] fs/ntfs3: Fix buffer overflow and integer overflow eadavis
2022-09-19 13:32             ` eadavis
2022-11-13  5:07               ` eadavis [this message]
2022-09-12  6:54 ` [PATCH v2] fs/netfs3: add a boundary check for EA_FULL eadavis
2022-09-14 15:34   ` Dan Carpenter
2023-01-26  8:13 ` [syzbot] KASAN: slab-out-of-bounds Read in ntfs_get_ea syzbot
2023-04-12 13:11   ` Aleksandr Nogikh

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:afd0ddad826 dfblob:188a76c2823 )
 OR (
bs:"[PATCH v5] fs/ntfs3: Validate parameter bytes and valid size" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221113050753.270164-1-eadavis@sina.com \
    --to=eadavis@sina.com \
    --cc=almaz.alexandrovich@paragon-software.com \
    --cc=dan.carpenter@oracle.com \
    --cc=eadaivs@sina.com \
    --cc=kbuild-all@lists.01.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lkp@intel.com \
    --cc=llvm@lists.linux.dev \
    --cc=nathan@kernel.org \
    --cc=ndesaulniers@google.com \
    --cc=ntfs3@lists.linux.dev \
    --cc=syzbot+c4d950787fd5553287b7@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=trix@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox