From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 514B9C636CC for ; Tue, 7 Feb 2023 13:09:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232310AbjBGNJf (ORCPT ); Tue, 7 Feb 2023 08:09:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58328 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232308AbjBGNJe (ORCPT ); Tue, 7 Feb 2023 08:09:34 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 656F420D27 for ; Tue, 7 Feb 2023 05:09:02 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8F6FE61426 for ; Tue, 7 Feb 2023 13:08:12 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 90FD3C433EF; Tue, 7 Feb 2023 13:08:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1675775292; bh=UpoLVT7g6V00nbnjrSzuK4ZlVZuL1+TKq7LFS53doko=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TZIYUDVlT0zZ9Kl/F8MU+EHxzkF/7flEsSKqTZazF97G7+2qT//Wnw9Dxb4xZVqA3 Qvb+bDYBciXtlVyOh+p7krPpgzvY31HmxcZrpp8XuQ8vTCtMlsUkaEiS4O6ttJY6OG JYBWVxyyYbaRG5lRYMW3xKQuS8OJ9zQ+KM6ff0/s= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Abdun Nihaal , Konstantin Komarov , syzbot+fa4648a5446460b7b963@syzkaller.appspotmail.com Subject: [PATCH 6.1 200/208] fs/ntfs3: Validate attribute data and valid sizes Date: Tue, 7 Feb 2023 13:57:34 +0100 Message-Id: <20230207125643.553605626@linuxfoundation.org> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230207125634.292109991@linuxfoundation.org> References: <20230207125634.292109991@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Abdun Nihaal commit 019d22eb0eb707fc099e6e8fad9b3933236a06d0 upstream. The data_size and valid_size fields of non resident attributes should be less than the its alloc_size field, but this is not checked in ntfs_read_mft function. Syzbot reports a allocation order warning due to a large unchecked value of data_size getting assigned to inode->i_size which is then passed to kcalloc. Add sanity check for ensuring that the data_size and valid_size fields are not larger than alloc_size field. Link: https://syzkaller.appspot.com/bug?extid=fa4648a5446460b7b963 Reported-and-tested-by: syzbot+fa4648a5446460b7b963@syzkaller.appspotmail.com Fixes: (82cae269cfa95) fs/ntfs3: Add initialization of super block Signed-off-by: Abdun Nihaal Signed-off-by: Konstantin Komarov Signed-off-by: Greg Kroah-Hartman --- fs/ntfs3/inode.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/fs/ntfs3/inode.c +++ b/fs/ntfs3/inode.c @@ -132,6 +132,13 @@ next_attr: if (le16_to_cpu(attr->name_off) + attr->name_len > asize) goto out; + if (attr->non_res) { + t64 = le64_to_cpu(attr->nres.alloc_size); + if (le64_to_cpu(attr->nres.data_size) > t64 || + le64_to_cpu(attr->nres.valid_size) > t64) + goto out; + } + switch (attr->type) { case ATTR_STD: if (attr->non_res ||