From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BAA3FC001E0 for ; Mon, 23 Oct 2023 11:20:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230427AbjJWLUa (ORCPT ); Mon, 23 Oct 2023 07:20:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40048 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233821AbjJWLU1 (ORCPT ); Mon, 23 Oct 2023 07:20:27 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6666D101 for ; Mon, 23 Oct 2023 04:20:17 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A673AC433C7; Mon, 23 Oct 2023 11:20:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1698060017; bh=Fr6+9CGjE9AveJKK+fpX/e1UKRPuwGG/Yc+ltycHdzY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DIUGCeplkT4T3eAPJscEl1ZvF205Ygk3iGpcebvPuEDWZunl1DlIJTte8PvPKuve6 MSKVmi1n9ZCAh1wmMhQ81OA4839rDDEsvR0yB/Sp2gYaixEskYKdKqvmNrdsljhMd8 9BceiuA0ZBdqeobp0dnh3jwk1K5E8vvlZ6B7Elso= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, syzbot+60cf892fc31d1f4358fc@syzkaller.appspotmail.com, Ziqi Zhao , Konstantin Komarov Subject: [PATCH 6.1 031/196] fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e() Date: Mon, 23 Oct 2023 12:54:56 +0200 Message-ID: <20231023104829.370213063@linuxfoundation.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231023104828.488041585@linuxfoundation.org> References: <20231023104828.488041585@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org 6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ziqi Zhao commit 1f9b94af923c88539426ed811ae7e9543834a5c5 upstream. Upon investigation of the C reproducer provided by Syzbot, it seemed the reproducer was trying to mount a corrupted NTFS filesystem, then issue a rename syscall to some nodes in the filesystem. This can be shown by modifying the reproducer to only include the mount syscall, and investigating the filesystem by e.g. `ls` and `rm` commands. As a result, during the problematic call to `hdr_fine_e`, the `inode` being supplied did not go through `indx_init`, hence the `cmp` function pointer was never set. The fix is simply to check whether `cmp` is not set, and return NULL if that's the case, in order to be consistent with other error scenarios of the `hdr_find_e` method. The rationale behind this patch is that: - We should prevent crashing the kernel even if the mounted filesystem is corrupted. Any syscalls made on the filesystem could return invalid, but the kernel should be able to sustain these calls. - Only very specific corruption would lead to this bug, so it would be a pretty rare case in actual usage anyways. Therefore, introducing a check to specifically protect against this bug seems appropriate. Because of its rarity, an `unlikely` clause is used to wrap around this nullity check. Reported-by: syzbot+60cf892fc31d1f4358fc@syzkaller.appspotmail.com Signed-off-by: Ziqi Zhao Signed-off-by: Konstantin Komarov Signed-off-by: Greg Kroah-Hartman --- fs/ntfs3/index.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/ntfs3/index.c +++ b/fs/ntfs3/index.c @@ -729,6 +729,9 @@ static struct NTFS_DE *hdr_find_e(const u32 total = le32_to_cpu(hdr->total); u16 offs[128]; + if (unlikely(!cmp)) + return NULL; + fill_table: if (end > total) return NULL;