[PATCH AUTOSEL 6.6 17/23] fs/ntfs3: Add sanity check for file name

[Sasha Levin <sashal@kernel.org>]

From: Lizhi Xu <lizhi.xu@windriver.com>

[ Upstream commit e841ecb139339602bc1853f5f09daa5d1ea920a2 ]

The length of the file name should be smaller than the directory entry size.

Reported-by: syzbot+598057afa0f49e62bd23@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

Looking at the code context and the patch, I can now provide my
analysis.

**Backport Status: YES**

This commit should be backported to stable kernel trees. Here's my
extensive analysis:

## Security Impact Analysis

The commit adds a critical bounds check that prevents a potential out-
of-bounds read vulnerability in the NTFS3 filesystem driver. The
vulnerability occurs in the `ntfs_dir_emit()` function at
fs/ntfs3/dir.c:307-308.

## Technical Details of the Fix

The patch adds this sanity check:
```c
if (fname->name_len + sizeof(struct NTFS_DE) > le16_to_cpu(e->size))
    return true;
```

This check validates that the file name length doesn't exceed the
directory entry size before attempting to read the file name data.
Without this check, the code at line 307-308:
```c
name_len = ntfs_utf16_to_nls(sbi, fname->name, fname->name_len, name,
PATH_MAX);
```

Could read beyond the allocated memory for the directory entry if a
malformed NTFS filesystem contains a `fname->name_len` value that
extends past the actual directory entry boundary.

## Why This Should Be Backported

1. **Security Fix**: This fixes a syzbot-reported security vulnerability
   that could lead to out-of-bounds memory reads, potentially exposing
   kernel memory contents or causing crashes.

2. **Small and Contained**: The fix is just 2 lines of code - a simple
   bounds check that returns early if the condition is violated. This
   minimizes the risk of introducing regressions.

3. **Clear Bug Fix**: This is not a feature addition or architectural
   change - it's a straightforward security hardening fix that adds
   missing input validation.

4. **Filesystem Data Validation**: The fix validates untrusted
   filesystem data, which is critical since malformed filesystem images
   could be mounted by unprivileged users in some configurations.

5. **No Side Effects**: The fix simply causes the code to skip malformed
   directory entries rather than processing them, which is the safe and
   expected behavior.

6. **Follows Stable Rules**: This meets the stable kernel criteria:
   - Fixes a real bug (out-of-bounds read)
   - Small change (2 lines)
   - Obviously correct (simple bounds check)
   - Already tested (reported and fixed via syzbot)

The commit follows a pattern of similar NTFS3 sanity checks that have
been backported, as shown by the git log search revealing multiple
validation fixes like "Validate buffer length while parsing index",
"Validate data run offset", etc.

 fs/ntfs3/dir.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
index e1b856ecce61..6b93c909bdc9 100644
--- a/fs/ntfs3/dir.c
+++ b/fs/ntfs3/dir.c
@@ -304,6 +304,9 @@ static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi,
 	if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN))
 		return true;
 
+	if (fname->name_len + sizeof(struct NTFS_DE) > le16_to_cpu(e->size))
+		return true;
+
 	name_len = ntfs_utf16_to_nls(sbi, fname->name, fname->name_len, name,
 				     PATH_MAX);
 	if (name_len <= 0) {
-- 
2.39.5