Backport commit 4f082a753122 "fs/ntfs3: Enhance the attribute size check"

Backport commit 4f082a753122 "fs/ntfs3: Enhance the attribute size check"

[Doebel, Bjoern]

Hi,

please backport commit 4f082a753122 "fs/ntfs3: Enhance the attribute size check" to the 6.1 stable branch.

Commit message:

"""
This combines the overflow and boundary check so that all attribute size
will be properly examined while enumerating them.
"""

We have seen Syzkaller reports for the 6.1 stable build and this patch fixes the issue. The issue does not reproduce on any of the other stable branches.

Best regards,
Bjoern


Report:
==================================================================
loop4: detected capacity change from 0 to 65536
BUG: KASAN: use-after-free in ntfs_read_mft+0x3187/0x3210 fs/ntfs3/inode.c:163
Read of size 8 at addr ffff888023c28036 by task syz-executor.5/29379

CPU: 1 PID: 29379 Comm: syz-executor.5 Not tainted 6.1.78 #33
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0x70/0x93 lib/dump_stack.c:106
  print_address_description.constprop.0+0x81/0x2b0 mm/kasan/report.c:284
  print_report+0x116/0x1f6 mm/kasan/report.c:395
  kasan_report+0xad/0x130 mm/kasan/report.c:495
  ntfs_read_mft+0x3187/0x3210 fs/ntfs3/inode.c:163
  ntfs_iget5+0x1a7/0x240 fs/ntfs3/inode.c:524
  ntfs_loadlog_and_replay+0x128/0x5e0 fs/ntfs3/fsntfs.c:272
  ntfs_fill_super+0xb28/0x22c0 fs/ntfs3/super.c:1018
  get_tree_bdev+0x40a/0x700 fs/super.c:1355
  vfs_get_tree+0x86/0x2e0 fs/super.c:1562
  do_new_mount+0x344/0x6b0 fs/namespace.c:3051
  path_mount+0x4c4/0x17e0 fs/namespace.c:3381
  do_mount fs/namespace.c:3394 [inline]
  __do_sys_mount fs/namespace.c:3602 [inline]
  __se_sys_mount fs/namespace.c:3579 [inline]
  __x64_sys_mount+0x287/0x310 fs/namespace.c:3579
  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81
  entry_SYSCALL_64_after_hwframe+0x64/0xce
RIP: 0033:0x7fd43486377e
Code: 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd4355d6ec8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fd4355d6f60 RCX: 00007fd43486377e
RDX: 000000002001f800 RSI: 0000000020000040 RDI: 00007fd4355d6f20
RBP: 000000002001f800 R08: 00007fd4355d6f60 R09: 0000000000000003
R10: 0000000000000003 R11: 0000000000000202 R12: 0000000020000040
R13: 00007fd4355d6f20 R14: 000000000001f7f9 R15: 0000000020000000
  </TASK>

Allocated by task 6435:
  kasan_save_stack+0x1c/0x40 mm/kasan/common.c:45
  kasan_set_track+0x21/0x30 mm/kasan/common.c:52
  __kasan_slab_alloc+0x6d/0x70 mm/kasan/common.c:328
  kasan_slab_alloc include/linux/kasan.h:201 [inline]
  slab_post_alloc_hook mm/slab.h:737 [inline]
  slab_alloc_node mm/slub.c:3398 [inline]
  slab_alloc mm/slub.c:3406 [inline]
  __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
  kmem_cache_alloc+0x144/0x320 mm/slub.c:3422
  getname_flags.part.0+0x55/0x4f0 fs/namei.c:139
  getname_flags+0x9d/0xf0 include/linux/audit.h:320
  vfs_fstatat+0x78/0xb0 fs/stat.c:266
  vfs_stat include/linux/fs.h:3352 [inline]
  __do_sys_newstat+0x89/0x110 fs/stat.c:410
  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81
  entry_SYSCALL_64_after_hwframe+0x64/0xce

Freed by task 6435:
  kasan_save_stack+0x1c/0x40 mm/kasan/common.c:45
  kasan_set_track+0x21/0x30 mm/kasan/common.c:52
  kasan_save_free_info+0x2a/0x50 mm/kasan/generic.c:516
  ____kasan_slab_free mm/kasan/common.c:236 [inline]
  ____kasan_slab_free+0x15b/0x1c0 mm/kasan/common.c:200
  kasan_slab_free include/linux/kasan.h:177 [inline]
  slab_free_hook mm/slub.c:1724 [inline]
  slab_free_freelist_hook mm/slub.c:1750 [inline]
  slab_free mm/slub.c:3661 [inline]
  kmem_cache_free+0x123/0x4c0 mm/slub.c:3683
  putname+0x12f/0x170 fs/namei.c:273
  vfs_fstatat+0x9b/0xb0 fs/stat.c:268
  vfs_stat include/linux/fs.h:3352 [inline]
  __do_sys_newstat+0x89/0x110 fs/stat.c:410
  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81
  entry_SYSCALL_64_after_hwframe+0x64/0xce

The buggy address belongs to the object at ffff888023c28000
  which belongs to the cache names_cache of size 4096
The buggy address is located 54 bytes inside of
  4096-byte region [ffff888023c28000, ffff888023c29000)

The buggy address belongs to the physical page:
page:0000000034b12153 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23c28
head:0000000034b12153 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc0010200 0000000000000000 dead000000000001 ffff88800cf57a00
raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff888023c27f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff888023c27f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff888023c28000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                      ^
  ffff888023c28080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff888023c28100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================




Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879

Re: Backport commit 4f082a753122 "fs/ntfs3: Enhance the attribute size check"

[Greg KH]

On Tue, Feb 27, 2024 at 01:38:53PM +0100, Doebel, Bjoern wrote:
> Hi,
> 
> please backport commit 4f082a753122 "fs/ntfs3: Enhance the attribute size check" to the 6.1 stable branch.

Now queued up, thanks!

greg k-h