linux/fs/ntfs
Desmond Cheong Zhi Xi c4868118fa ntfs: fix validity check for file name attribute
commit d98e4d95411bbde2220a7afa38dcc9c14d71acbe upstream.

When checking the file name attribute, we want to ensure that it fits
within the bounds of ATTR_RECORD.  To do this, we should check that (attr
record + file name offset + file name length) < (attr record + attr record
length).

However, the original check did not include the file name offset in the
calculation.  This means that corrupted on-disk metadata might not caught
by the incorrect file name check, and lead to an invalid memory access.

An example can be seen in the crash report of a memory corruption error
found by Syzbot:
https://syzkaller.appspot.com/bug?id=a1a1e379b225812688566745c3e2f7242bffc246

Adding the file name offset to the validity check fixes this error and
passes the Syzbot reproducer test.

Link: https://lkml.kernel.org/r/20210614050540.289494-1-desmondcheongzx@gmail.com
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Reported-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com
Tested-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com
Acked-by: Anton Altaparmakov <anton@tuxera.com>
Cc: Shuah Khan <skhan@linuxfoundation.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-07-14 16:53:01 +02:00
..
Kconfig
Makefile
aops.c
aops.h
attrib.c
attrib.h
bitmap.c
bitmap.h
collate.c
collate.h
compress.c
debug.c
debug.h
dir.c
dir.h
endian.h
file.c
index.c
index.h
inode.c
inode.h
layout.h
lcnalloc.c
lcnalloc.h
logfile.c
logfile.h
malloc.h
mft.c
mft.h
mst.c
namei.c
ntfs.h
quota.c
quota.h
runlist.c
runlist.h
super.c
sysctl.c
sysctl.h
time.h
types.h
unistr.c
upcase.c
usnjrnl.c
usnjrnl.h
volume.h