fs/ntfs/inode.c · v5.10-rc6 · Dennis Giaya / linux · GitLab

Oct 13, 2020

ntfs: add check for mft record size in superblock · 4f8c9402

Rustam Kovhaev authored Oct 13, 2020

Number of bytes allocated for mft record should be equal to the mft record
size stored in ntfs superblock as reported by syzbot, userspace might
trigger out-of-bounds read by dereferencing ctx->attr in ntfs_attr_find()

Reported-by: <syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com>
Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Tested-by: <syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com>
Acked-by: Anton Altaparmakov <anton@tuxera.com>
Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e
Link: https://lkml.kernel.org/r/20200824022804.226242-1-rkovhaev@gmail.com

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

4f8c9402

ntfs: add check for mft record size in superblock

Rustam Kovhaev authored Oct 13, 2020

Number of bytes allocated for mft record should be equal to the mft record
size stored in ntfs superblock as reported by syzbot, userspace might
trigger out-of-bounds read by dereferencing ctx->attr in ntfs_attr_find()

Reported-by: <syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com>
Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Tested-by: <syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com>
Acked-by: Anton Altaparmakov <anton@tuxera.com>
Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e
Link: https://lkml.kernel.org/r/20200824022804.226242-1-rkovhaev@gmail.com

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>