[PATCH AUTOSEL 5.15 08/28] fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e()

public inbox for ntfs3@lists.linux.dev
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ziqi Zhao <astrajoan@yahoo.com>,
	syzbot+60cf892fc31d1f4358fc@syzkaller.appspotmail.com,
	Konstantin Komarov <almaz.alexandrovich@paragon-software.com>,
	Sasha Levin <sashal@kernel.org>,
	ntfs3@lists.linux.dev
Subject: [PATCH AUTOSEL 5.15 08/28] fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e()
Date: Sun, 29 Oct 2023 18:58:43 -0400	[thread overview]
Message-ID: <20231029225916.791798-8-sashal@kernel.org> (raw)
In-Reply-To: <20231029225916.791798-1-sashal@kernel.org>

From: Ziqi Zhao <astrajoan@yahoo.com>

[ Upstream commit 1f9b94af923c88539426ed811ae7e9543834a5c5 ]

Upon investigation of the C reproducer provided by Syzbot, it seemed
the reproducer was trying to mount a corrupted NTFS filesystem, then
issue a rename syscall to some nodes in the filesystem. This can be
shown by modifying the reproducer to only include the mount syscall,
and investigating the filesystem by e.g. `ls` and `rm` commands. As a
result, during the problematic call to `hdr_fine_e`, the `inode` being
supplied did not go through `indx_init`, hence the `cmp` function
pointer was never set.

The fix is simply to check whether `cmp` is not set, and return NULL
if that's the case, in order to be consistent with other error
scenarios of the `hdr_find_e` method. The rationale behind this patch
is that:

- We should prevent crashing the kernel even if the mounted filesystem
  is corrupted. Any syscalls made on the filesystem could return
  invalid, but the kernel should be able to sustain these calls.

- Only very specific corruption would lead to this bug, so it would be
  a pretty rare case in actual usage anyways. Therefore, introducing a
  check to specifically protect against this bug seems appropriate.
  Because of its rarity, an `unlikely` clause is used to wrap around
  this nullity check.

Reported-by: syzbot+60cf892fc31d1f4358fc@syzkaller.appspotmail.com
Signed-off-by: Ziqi Zhao <astrajoan@yahoo.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ntfs3/index.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
index 7705adc926b86..b49e62e2080b0 100644
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -729,6 +729,9 @@ static struct NTFS_DE *hdr_find_e(const struct ntfs_index *indx,
 	u32 total = le32_to_cpu(hdr->total);
 	u16 offs[128];
 
+	if (unlikely(!cmp))
+		return NULL;
+
 fill_table:
 	if (end > total)
 		return NULL;
-- 
2.42.0

next prev parent reply	other threads:[~2023-10-29 22:59 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20231029225916.791798-1-sashal@kernel.org>
2023-10-29 22:58 ` [PATCH AUTOSEL 5.15 02/28] fs/ntfs3: Add ckeck in ni_update_parent() Sasha Levin
2023-10-29 22:58 ` [PATCH AUTOSEL 5.15 03/28] fs/ntfs3: Write immediately updated ntfs state Sasha Levin
2023-10-29 22:58 ` [PATCH AUTOSEL 5.15 04/28] fs/ntfs3: Use kvmalloc instead of kmalloc(... __GFP_NOWARN) Sasha Levin
2023-10-29 22:58 ` [PATCH AUTOSEL 5.15 05/28] fs/ntfs3: fix deadlock in mark_as_free_ex Sasha Levin
2023-10-29 22:58 ` [PATCH AUTOSEL 5.15 06/28] fs/ntfs3: Fix possible NULL-ptr-deref in ni_readpage_cmpr() Sasha Levin
2023-10-29 22:58 ` [PATCH AUTOSEL 5.15 07/28] fs/ntfs3: Fix NULL pointer dereference on error in attr_allocate_frame() Sasha Levin
2023-10-29 22:58 ` Sasha Levin [this message]
2023-10-29 22:58 ` [PATCH AUTOSEL 5.15 09/28] fs/ntfs3: Fix directory element type detection Sasha Levin
2023-10-29 22:58 ` [PATCH AUTOSEL 5.15 10/28] fs/ntfs3: Avoid possible memory leak Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7705adc926b8 dfblob:b49e62e2080b )
 OR (
bs:"[PATCH AUTOSEL 5.15 08/28] fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231029225916.791798-8-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=almaz.alexandrovich@paragon-software.com \
    --cc=astrajoan@yahoo.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ntfs3@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+60cf892fc31d1f4358fc@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox