From: Al Viro <viro@zeniv.linux.org.uk>
To: Lizhi Xu <lizhi.xu@windriver.com>
Cc: syzbot+598057afa0f49e62bd23@syzkaller.appspotmail.com,
almaz.alexandrovich@paragon-software.com,
linux-kernel@vger.kernel.org, ntfs3@lists.linux.dev,
syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] fs/ntfs3: Add sanity check for file name
Date: Fri, 6 Jun 2025 05:25:01 +0100 [thread overview]
Message-ID: <20250606042501.GR299672@ZenIV> (raw)
In-Reply-To: <20250606035125.1693536-1-lizhi.xu@windriver.com>
On Fri, Jun 06, 2025 at 11:51:24AM +0800, Lizhi Xu wrote:
> The length of the file name should be smaller than the directory entry size.
>
> Reported-by: syzbot+598057afa0f49e62bd23@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
> Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
> ---
> fs/ntfs3/dir.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
> index b6da80c69ca6..b31bc9cbfa35 100644
> --- a/fs/ntfs3/dir.c
> +++ b/fs/ntfs3/dir.c
> @@ -304,6 +304,9 @@ static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi,
> if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN))
> return true;
>
> + if (fname->name_len > le16_to_cpu(e->size) - sizeof(struct NTFS_DE))
> + return true;
And if e->size happens to be e.g. 0? Note that (unsigned short)0 - sizeof(whatever)
ends up being a large unsigned.
unsigned short gets promoted to int. sizeof is size_t - whatever it is,
it's an unsigned integer type, with rank no lower than that of int.
Since we have the entire range of unsigned short representable by int on all
architectures we care about, we get unsigned short promoted to int (preserving
the value) and then to size_t (value taken modulo range of size_t, i.e.
the original unsigned short value preserved). Incidentally, even on a target
where sizeof(unsigned short) == sizeof(int) we'd still get an unsigned result -
unsigned short would be promoted to unsigned int, and mix of two unsigned
integer types gets converted to whichever has the higher rank.
IOW, comparison in
if (fname->name_len > le16_to_cpu(e->size) - sizeof(struct NTFS_DE))
is going to be an unsigned one. AFAICS, fname->name_len is u8, so just
turn that check into
if (sizeof(struct NTFS_DE) + fname->name_len > le16_to_cpu(e->size))
and be done with that - comparison is, again, unsigned, but there's no
possibility of wraparounds in that variant.
next prev parent reply other threads:[~2025-06-06 4:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-04 16:49 [syzbot] [ntfs3?] KASAN: slab-out-of-bounds Read in ntfs_utf16_to_nls syzbot
2025-06-06 3:51 ` [PATCH] fs/ntfs3: Add sanity check for file name Lizhi Xu
2025-06-06 4:25 ` Al Viro [this message]
2025-06-06 5:16 ` [PATCH V2] " Lizhi Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250606042501.GR299672@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lizhi.xu@windriver.com \
--cc=ntfs3@lists.linux.dev \
--cc=syzbot+598057afa0f49e62bd23@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox