From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Edward Lo <edward.lo@ambergroup.io>,
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.1 18/71] fs/ntfs3: Add null pointer check to attr_load_runs_vcn
Date: Mon, 2 Jan 2023 12:21:43 +0100 [thread overview]
Message-ID: <20230102110552.209912251@linuxfoundation.org> (raw)
In-Reply-To: <20230102110551.509937186@linuxfoundation.org>
From: Edward Lo <edward.lo@ambergroup.io>
[ Upstream commit 2681631c29739509eec59cc0b34e977bb04c6cf1 ]
Some metadata files are handled before MFT. This adds a null pointer
check for some corner cases that could lead to NPD while reading these
metadata files for a malformed NTFS image.
[ 240.190827] BUG: kernel NULL pointer dereference, address: 0000000000000158
[ 240.191583] #PF: supervisor read access in kernel mode
[ 240.191956] #PF: error_code(0x0000) - not-present page
[ 240.192391] PGD 0 P4D 0
[ 240.192897] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 240.193805] CPU: 0 PID: 242 Comm: mount Tainted: G B 5.19.0+ #17
[ 240.194477] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 240.195152] RIP: 0010:ni_find_attr+0xae/0x300
[ 240.195679] Code: c8 48 c7 45 88 c0 4e 5e 86 c7 00 f1 f1 f1 f1 c7 40 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 e2 d9f
[ 240.196642] RSP: 0018:ffff88800812f690 EFLAGS: 00000286
[ 240.197019] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff85ef037a
[ 240.197523] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff88e95f60
[ 240.197877] RBP: ffff88800812f738 R08: 0000000000000001 R09: fffffbfff11d2bed
[ 240.198292] R10: ffffffff88e95f67 R11: fffffbfff11d2bec R12: 0000000000000000
[ 240.198647] R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000
[ 240.199410] FS: 00007f233c33be40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000
[ 240.199895] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 240.200314] CR2: 0000000000000158 CR3: 0000000004d32000 CR4: 00000000000006f0
[ 240.200839] Call Trace:
[ 240.201104] <TASK>
[ 240.201502] ? ni_load_mi+0x80/0x80
[ 240.202297] ? ___slab_alloc+0x465/0x830
[ 240.202614] attr_load_runs_vcn+0x8c/0x1a0
[ 240.202886] ? __kasan_slab_alloc+0x32/0x90
[ 240.203157] ? attr_data_write_resident+0x250/0x250
[ 240.203543] mi_read+0x133/0x2c0
[ 240.203785] mi_get+0x70/0x140
[ 240.204012] ni_load_mi_ex+0xfa/0x190
[ 240.204346] ? ni_std5+0x90/0x90
[ 240.204588] ? __kasan_kmalloc+0x88/0xb0
[ 240.204859] ni_enum_attr_ex+0xf1/0x1c0
[ 240.205107] ? ni_fname_type.part.0+0xd0/0xd0
[ 240.205600] ? ntfs_load_attr_list+0xbe/0x300
[ 240.205864] ? ntfs_cmp_names_cpu+0x125/0x180
[ 240.206157] ntfs_iget5+0x56c/0x1870
[ 240.206510] ? ntfs_get_block_bmap+0x70/0x70
[ 240.206776] ? __kasan_kmalloc+0x88/0xb0
[ 240.207030] ? set_blocksize+0x95/0x150
[ 240.207545] ntfs_fill_super+0xb8f/0x1e20
[ 240.207839] ? put_ntfs+0x1d0/0x1d0
[ 240.208069] ? vsprintf+0x20/0x20
[ 240.208467] ? mutex_unlock+0x81/0xd0
[ 240.208846] ? set_blocksize+0x95/0x150
[ 240.209221] get_tree_bdev+0x232/0x370
[ 240.209804] ? put_ntfs+0x1d0/0x1d0
[ 240.210519] ntfs_fs_get_tree+0x15/0x20
[ 240.210991] vfs_get_tree+0x4c/0x130
[ 240.211455] path_mount+0x645/0xfd0
[ 240.211806] ? putname+0x80/0xa0
[ 240.212112] ? finish_automount+0x2e0/0x2e0
[ 240.212559] ? kmem_cache_free+0x110/0x390
[ 240.212906] ? putname+0x80/0xa0
[ 240.213329] do_mount+0xd6/0xf0
[ 240.213829] ? path_mount+0xfd0/0xfd0
[ 240.214246] ? __kasan_check_write+0x14/0x20
[ 240.214774] __x64_sys_mount+0xca/0x110
[ 240.215080] do_syscall_64+0x3b/0x90
[ 240.215442] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 240.215811] RIP: 0033:0x7f233b4e948a
[ 240.216104] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
[ 240.217615] RSP: 002b:00007fff02211ec8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[ 240.218718] RAX: ffffffffffffffda RBX: 0000561cdc35b060 RCX: 00007f233b4e948a
[ 240.219556] RDX: 0000561cdc35b260 RSI: 0000561cdc35b2e0 RDI: 0000561cdc363af0
[ 240.219975] RBP: 0000000000000000 R08: 0000561cdc35b280 R09: 0000000000000020
[ 240.220403] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000561cdc363af0
[ 240.220803] R13: 0000561cdc35b260 R14: 0000000000000000 R15: 00000000ffffffff
[ 240.221256] </TASK>
[ 240.221567] Modules linked in:
[ 240.222028] CR2: 0000000000000158
[ 240.223291] ---[ end trace 0000000000000000 ]---
[ 240.223669] RIP: 0010:ni_find_attr+0xae/0x300
[ 240.224058] Code: c8 48 c7 45 88 c0 4e 5e 86 c7 00 f1 f1 f1 f1 c7 40 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 e2 d9f
[ 240.225033] RSP: 0018:ffff88800812f690 EFLAGS: 00000286
[ 240.225968] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff85ef037a
[ 240.226624] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff88e95f60
[ 240.227307] RBP: ffff88800812f738 R08: 0000000000000001 R09: fffffbfff11d2bed
[ 240.227816] R10: ffffffff88e95f67 R11: fffffbfff11d2bec R12: 0000000000000000
[ 240.228330] R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000
[ 240.228729] FS: 00007f233c33be40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000
[ 240.229281] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 240.230298] CR2: 0000000000000158 CR3: 0000000004d32000 CR4: 00000000000006f0
Signed-off-by: Edward Lo <edward.lo@ambergroup.io>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/attrib.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c
index 0d354560d323..578c2bcfb1d9 100644
--- a/fs/ntfs3/attrib.c
+++ b/fs/ntfs3/attrib.c
@@ -1221,6 +1221,11 @@ int attr_load_runs_vcn(struct ntfs_inode *ni, enum ATTR_TYPE type,
CLST svcn, evcn;
u16 ro;
+ if (!ni) {
+ /* Is record corrupted? */
+ return -ENOENT;
+ }
+
attr = ni_find_attr(ni, NULL, NULL, type, name, name_len, &vcn, NULL);
if (!attr) {
/* Is record corrupted? */
--
2.35.1
next prev parent reply other threads:[~2023-01-02 11:25 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-02 11:21 [PATCH 6.1 00/71] 6.1.3-rc1 review Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 01/71] eventpoll: add EPOLL_URING_WAKE poll wakeup flag Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 02/71] eventfd: provide a eventfd_signal_mask() helper Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 03/71] io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and wakeups Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 04/71] nvme-pci: fix doorbell buffer value endianness Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 05/71] nvme-pci: fix mempool alloc size Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 06/71] nvme-pci: fix page size checks Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 07/71] ACPI: resource: do IRQ override on XMG Core 15 Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 08/71] ACPI: resource: do IRQ override on Lenovo 14ALC7 Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 09/71] ACPI: resource: Add Asus ExpertBook B2502 to Asus quirks Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 10/71] ACPI: video: Fix Apple GMUX backlight detection Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 11/71] block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 12/71] ata: ahci: Fix PCS quirk application for suspend Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 13/71] nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 14/71] nvmet: dont defer passthrough commands with trivial effects to the workqueue Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 15/71] fs/ntfs3: Validate BOOT record_size Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 16/71] fs/ntfs3: Add overflow check for attribute size Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 17/71] fs/ntfs3: Validate data run offset Greg Kroah-Hartman
2023-01-02 11:21 ` Greg Kroah-Hartman [this message]
2023-01-02 11:21 ` [PATCH 6.1 19/71] fs/ntfs3: Fix memory leak on ntfs_fill_super() error path Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 20/71] fs/ntfs3: Add null pointer check for inode operations Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 21/71] fs/ntfs3: Validate attribute name offset Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 22/71] fs/ntfs3: Validate buffer length while parsing index Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 23/71] fs/ntfs3: Validate resident attribute name Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 24/71] fs/ntfs3: Fix slab-out-of-bounds read in run_unpack Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 25/71] soundwire: dmi-quirks: add quirk variant for LAPBC710 NUC15 Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 26/71] phy: sun4i-usb: Introduce port2 SIDDQ quirk Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 27/71] phy: sun4i-usb: Add support for the H616 USB PHY Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 28/71] fs/ntfs3: Validate index root when initialize NTFS security Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 29/71] fs/ntfs3: Use __GFP_NOWARN allocation at wnd_init() Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 30/71] fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_fill_super() Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 31/71] fs/ntfs3: Delete duplicate condition in ntfs_read_mft() Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 32/71] fs/ntfs3: Fix slab-out-of-bounds in r_page Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 33/71] objtool: Fix SEGFAULT Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.1 34/71] iommu/mediatek: Fix crash on isr after kexec() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 35/71] powerpc/rtas: avoid device tree lookups in rtas_os_term() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 36/71] powerpc/rtas: avoid scheduling " Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 37/71] rtc: msc313: Fix function prototype mismatch in msc313_rtc_probe() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 38/71] NFSD: fix use-after-free in __nfs42_ssc_open() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 39/71] kprobes: kretprobe events missing on 2-core KVM guest Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 40/71] HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 41/71] HID: plantronics: Additional PIDs for double volume key presses quirk Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 42/71] futex: Fix futex_waitv() hrtimer debug object leak on kcalloc error Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 43/71] rtmutex: Add acquire semantics for rtmutex lock acquisition slow path Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 44/71] mm, mremap: fix mremap() expanding vma with addr inside vma Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 45/71] mm/mempolicy: fix memory leak in set_mempolicy_home_node system call Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 46/71] kmsan: export kmsan_handle_urb Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 47/71] kmsan: include linux/vmalloc.h Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 48/71] pstore: Properly assign mem_type property Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 49/71] pstore/zone: Use GFP_ATOMIC to allocate zone buffer Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 50/71] hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 51/71] ACPI: x86: s2idle: Force AMD GUID/_REV 2 on HP Elitebook 865 Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 52/71] ACPI: x86: s2idle: Stop using AMD specific codepath for Rembrandt+ Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 53/71] binfmt: Fix error return code in load_elf_fdpic_binary() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 54/71] ovl: Use ovl mounters fsuid and fsgid in ovl_link() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 55/71] ovl: update ->f_iocb_flags when ovl_change_flags() modifies ->f_flags Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 56/71] ALSA: line6: correct midi status byte when receiving data from podxt Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 57/71] ALSA: line6: fix stack overflow in line6_midi_transmit Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 58/71] ALSA: hda/hdmi: Static PCM mapping again with AMD HDMI codecs Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 59/71] pnode: terminate at peers of source Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 60/71] mfd: mt6360: Add bounds checking in Regmap read/write call-backs Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 61/71] md: fix a crash in mempool_free Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 62/71] mm, compaction: fix fast_isolate_around() to stay within boundaries Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 63/71] f2fs: should put a page when checking the summary info Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 64/71] f2fs: allow to read node block after shutdown Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 65/71] block: Do not reread partition table on exclusively open device Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 66/71] mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 67/71] tpm: acpi: Call acpi_put_table() to fix memory leak Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 68/71] tpm: tpm_crb: Add the missed " Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 69/71] tpm: tpm_tis: " Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 70/71] SUNRPC: Dont leak netobj memory when gss_read_proxy_verf() fails Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.1 71/71] kcsan: Instrument memcpy/memset/memmove with newer Clang Greg Kroah-Hartman
2023-01-02 23:14 ` [PATCH 6.1 00/71] 6.1.3-rc1 review Rudi Heitbaum
2023-01-03 0:25 ` Shuah Khan
2023-01-03 1:13 ` Guenter Roeck
2023-01-03 7:24 ` Fenil Jain
2023-01-03 8:40 ` Naresh Kamboju
2023-01-03 8:45 ` Naresh Kamboju
2023-01-03 8:59 ` Ron Economos
2023-01-03 10:34 ` Sudip Mukherjee (Codethink)
2023-01-03 12:08 ` Bagas Sanjaya
2023-01-03 13:22 ` Allen Pais
2023-01-03 19:33 ` Florian Fainelli
2023-01-04 1:39 ` Justin Forbes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230102110552.209912251@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=edward.lo@ambergroup.io \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).