From patchwork Fri Dec 30 11:25:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Konstantin Komarov X-Patchwork-Id: 37646 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4e01:0:0:0:0:0 with SMTP id p1csp2844155wrt; Fri, 30 Dec 2022 03:26:38 -0800 (PST) X-Google-Smtp-Source: AMrXdXu5ggvhEW2rXX9yOEbKsNBJTRgCgzKuHtYwjVXKrMJDgOhnNJ8xZdBXuJ3/EXmPgYul8Tv+ X-Received: by 2002:a05:6a20:4295:b0:9d:efbe:a0fd with SMTP id o21-20020a056a20429500b0009defbea0fdmr50260745pzj.13.1672399598205; Fri, 30 Dec 2022 03:26:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672399598; cv=none; d=google.com; s=arc-20160816; b=Lw2Jvk7/rfQmxG6up/rHpyPFMspjjhtoheHllKLUlYPNbO3pvfyBY5GwLNcQgwFRC2 m5+r3QEl1qe8ciwPNTZ+/krlIjxYbD6ZF55fZPBZsxXfDH78AkXFCQ5dJXWcKJrQ8L/d TsVlzz/yakhfklNa3N0nBN6BsMmdgORVftjgGri1FsvYwlnIfJBAq+LdmJVmwGl5EQNA UyM5g/y/wJ+SEsXyhsY6vHtEWoDR7IGLuQ+ChMi+BuNXsXoItTUQcW+4c5Z0WeKcIyRk TTKI2dmsnv3rtukSsvWMIaeyQx3fy/q05ifowm2EkPwHDDoKmzRLATj4mmP+yIMNYyad kvFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:references :cc:to:from:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=snwY2+VKm0LsKlpAvdxmC463EUj3w2PVok9aOOZl/rI=; b=VJgclyXlwm9BEVRQswpLFJLIgx16UPfrJo9lRR69QP/VnJU0IE3ie+rKIYIQTw1PX4 cHshEGLtoCWv82UMnR3Na70PgVomJARu1dcqfQCpNYdRYcVRZA9XXZI0eD89mkkj8TTN wYMuqKD878EsUFO7sNCTMEfm72t+cmOwUuZMbCOz3igzmY6gDoH1PAt9ijVI+SrAx9AC F8luRHoVIal5AH3Qi9qylOUyuubN8dg2ziDvwET7CF3XzIfY18wjtRy1pFHbvpDKABDl +R0mz72V0ZtUg8BkcnQZixaCKUhjxCho83p5nINi6yzPZrNbbXI1Hzv2zAIuE6uvjLOD ngdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paragon-software.com header.s=mail header.b=rRz9SCjf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=paragon-software.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w184-20020a6362c1000000b004403ddda6e6si22672427pgb.847.2022.12.30.03.26.25; Fri, 30 Dec 2022 03:26:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paragon-software.com header.s=mail header.b=rRz9SCjf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=paragon-software.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234805AbiL3LZx (ORCPT + 99 others); Fri, 30 Dec 2022 06:25:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34574 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234788AbiL3LZv (ORCPT ); Fri, 30 Dec 2022 06:25:51 -0500 Received: from relayaws-01.paragon-software.com (relayaws-01.paragon-software.com [35.157.23.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 467BCC6A; Fri, 30 Dec 2022 03:25:51 -0800 (PST) Received: from dlg2.mail.paragon-software.com (vdlg-exch-02.paragon-software.com [172.30.1.105]) by relayaws-01.paragon-software.com (Postfix) with ESMTPS id B4A8220EE; Fri, 30 Dec 2022 11:22:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragon-software.com; s=mail; t=1672399336; bh=snwY2+VKm0LsKlpAvdxmC463EUj3w2PVok9aOOZl/rI=; h=Date:Subject:From:To:CC:References:In-Reply-To; b=rRz9SCjfJ8B7V/kgmkjToZKbuXssEC25O8lWLZ7lBJJaL4VBHMap3MRnA10pXH3UK FJhG5btOP2lonbcl2n+UtyprUXZcCL7aLFJrezIUIqyieXDKpz0p8jL8ffTZ7yYj3S kyzwnKco+Bqq3u3sx0ASikQ8HsGeHW0Sgl6xfGCI= Received: from [192.168.211.146] (192.168.211.146) by vdlg-exch-02.paragon-software.com (172.30.1.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.7; Fri, 30 Dec 2022 14:25:48 +0300 Message-ID: <4628ae8a-39e9-ecf8-3efe-193a1ad14d23@paragon-software.com> Date: Fri, 30 Dec 2022 15:25:48 +0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 Subject: [PATCH 3/5] fs/ntfs3: Check for extremely large size of $AttrDef Content-Language: en-US From: Konstantin Komarov To: CC: , References: In-Reply-To: X-Originating-IP: [192.168.211.146] X-ClientProxiedBy: vobn-exch-01.paragon-software.com (172.30.72.13) To vdlg-exch-02.paragon-software.com (172.30.1.105) X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1753638081048068120?= X-GMAIL-MSGID: =?utf-8?q?1753638081048068120?= Added additional checking for size of $AttrDef. Added comment. Signed-off-by: Konstantin Komarov ---  fs/ntfs3/super.c | 10 +++++++++-  1 file changed, 9 insertions(+), 1 deletion(-)      if (!t) { diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c index ef4ea3f21905..0967035146ce 100644 --- a/fs/ntfs3/super.c +++ b/fs/ntfs3/super.c @@ -1185,10 +1185,18 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)          goto out;      } -    if (inode->i_size < sizeof(struct ATTR_DEF_ENTRY)) { +    /* +     * Typical $AttrDef contains up to 20 entries. +     * Check for extremely large size. +     */ +    if (inode->i_size < sizeof(struct ATTR_DEF_ENTRY) || +        inode->i_size > 100 * sizeof(struct ATTR_DEF_ENTRY)) { +        ntfs_err(sb, "Looks like $AttrDef is corrupted (size=%llu).", +             inode->i_size);          err = -EINVAL;          goto put_inode_out;      } +      bytes = inode->i_size;      sbi->def_table = t = kmalloc(bytes, GFP_NOFS | __GFP_NOWARN);