From nobody Sun Feb 8 16:31:18 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8816C0015E for ; Mon, 3 Jul 2023 07:27:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230457AbjGCH1w (ORCPT ); Mon, 3 Jul 2023 03:27:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33222 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230375AbjGCH1t (ORCPT ); Mon, 3 Jul 2023 03:27:49 -0400 Received: from relayaws-01.paragon-software.com (relayaws-01.paragon-software.com [35.157.23.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FE02E73; Mon, 3 Jul 2023 00:27:24 -0700 (PDT) Received: from relayfre-01.paragon-software.com (unknown [172.30.72.12]) by relayaws-01.paragon-software.com (Postfix) with ESMTPS id 701271D74; Mon, 3 Jul 2023 07:22:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragon-software.com; s=mail; t=1688368931; bh=D5iKNYHdfTlYuVyZq7hZxLedK3pQqQ8YbD1w2/CiIkM=; h=Date:Subject:From:To:CC:References:In-Reply-To; b=CI1shzojPy5vSQ43J+xYNHD1Gzp0EmNYBN5Mogs5S3EuABT2FjWh00R7QynsARaqy L7Nmq6ppKhjiM2BncRx78NR9lx2quEERAFxeRoJLHNXG0vHRzRFzpn1MxA6fpxxEmF Am2OoGIy/JyfpI/3JZUBFO6opPSLk7uzr8jti1/g= Received: from dlg2.mail.paragon-software.com (vdlg-exch-02.paragon-software.com [172.30.1.105]) by relayfre-01.paragon-software.com (Postfix) with ESMTPS id D85EF1D1E; Mon, 3 Jul 2023 07:27:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragon-software.com; s=mail; t=1688369242; bh=D5iKNYHdfTlYuVyZq7hZxLedK3pQqQ8YbD1w2/CiIkM=; h=Date:Subject:From:To:CC:References:In-Reply-To; b=QLU2NYl/jPH9ptdm9LSZC8zXlU5D+m3dcAntTbIaWBkv4YUEl+TZvLtAyrmqWMP0X 0hjnpbirOKPB6D/3tyOtJXQ1+pbGGrisCNWVvD1n6B8kiABkXs1gxVlFPbqPIB2IZE fPlsir8M7+6++8uLNS8rbBZrXuMMDSSB6h1J6jto= Received: from [192.168.211.138] (192.168.211.138) by vdlg-exch-02.paragon-software.com (172.30.1.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.7; Mon, 3 Jul 2023 10:27:22 +0300 Message-ID: <18640b25-5018-ebf2-38d9-e750404cb66f@paragon-software.com> Date: Mon, 3 Jul 2023 11:27:21 +0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Subject: [PATCH 6/8] fs/ntfs3: Add more attributes checks in mi_enum_attr() Content-Language: en-US From: Konstantin Komarov To: CC: Linux Kernel Mailing List , References: In-Reply-To: Content-Type: text/plain; charset="utf-8"; format="flowed" Content-Transfer-Encoding: quoted-printable X-Originating-IP: [192.168.211.138] X-ClientProxiedBy: vdlg-exch-02.paragon-software.com (172.30.1.105) To vdlg-exch-02.paragon-software.com (172.30.1.105) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Signed-off-by: Konstantin Komarov --- =C2=A0fs/ntfs3/record.c | 68 ++++++++++++++++++++++++++++++++++++---------= -- =C2=A01 file changed, 52 insertions(+), 16 deletions(-) diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c index cae939cb42cf..53629b1f65e9 100644 --- a/fs/ntfs3/record.c +++ b/fs/ntfs3/record.c @@ -199,8 +199,9 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi,=20 struct ATTRIB *attr) =C2=A0{ =C2=A0=C2=A0=C2=A0 =C2=A0const struct MFT_REC *rec =3D mi->mrec; =C2=A0=C2=A0=C2=A0 =C2=A0u32 used =3D le32_to_cpu(rec->used); -=C2=A0=C2=A0 =C2=A0u32 t32, off, asize; +=C2=A0=C2=A0 =C2=A0u32 t32, off, asize, prev_type; =C2=A0=C2=A0=C2=A0 =C2=A0u16 t16; +=C2=A0=C2=A0 =C2=A0u64 data_size, alloc_size, tot_size; =C2=A0=C2=A0=C2=A0 =C2=A0if (!attr) { =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0u32 total =3D le32_to_cpu(rec-= >total); @@ -219,6 +220,7 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi,=20 struct ATTRIB *attr) =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0if (!is_rec_inuse(rec)) =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0prev_type =3D 0; =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0attr =3D Add2Ptr(rec, off); =C2=A0=C2=A0=C2=A0 =C2=A0} else { =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0/* Check if input attr inside = record. */ @@ -232,11 +234,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi,=20 struct ATTRIB *attr) =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0} -=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0if (off + asize < off) { -=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0/* Overflow check= . */ +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0/* Overflow check. */ +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0if (off + asize < off) =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; -=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0} +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0prev_type =3D le32_to_cpu(attr->type= ); =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0attr =3D Add2Ptr(attr, asize); =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0off +=3D asize; =C2=A0=C2=A0=C2=A0 =C2=A0} @@ -256,7 +258,11 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi,=20 struct ATTRIB *attr) =C2=A0=C2=A0=C2=A0 =C2=A0/* 0x100 is last known attribute for now. */ =C2=A0=C2=A0=C2=A0 =C2=A0t32 =3D le32_to_cpu(attr->type); -=C2=A0=C2=A0 =C2=A0if ((t32 & 0xf) || (t32 > 0x100)) +=C2=A0=C2=A0 =C2=A0if (!t32 || (t32 & 0xf) || (t32 > 0x100)) +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; + +=C2=A0=C2=A0 =C2=A0/* attributes in record must be ordered by type */ +=C2=A0=C2=A0 =C2=A0if (t32 < prev_type) =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; =C2=A0=C2=A0=C2=A0 =C2=A0/* Check overflow and boundary. */ @@ -265,16 +271,15 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi,=20 struct ATTRIB *attr) =C2=A0=C2=A0=C2=A0 =C2=A0/* Check size of attribute. */ =C2=A0=C2=A0=C2=A0 =C2=A0if (!attr->non_res) { +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0/* Check resident fields. */ =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0if (asize < SIZEOF_RESIDENT) =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0t16 =3D le16_to_cpu(attr->res.= data_off); - =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0if (t16 > asize) =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; -=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0t32 =3D le32_to_cpu(attr->res.data_s= ize); -=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0if (t16 + t32 > asize) +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0if (t16 + le32_to_cpu(attr->res.data= _size) > asize) =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0t32 =3D sizeof(short) * attr->= name_len; @@ -284,21 +289,52 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi,=20 struct ATTRIB *attr) =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return attr; =C2=A0=C2=A0=C2=A0 =C2=A0} -=C2=A0=C2=A0 =C2=A0/* Check some nonresident fields. */ -=C2=A0=C2=A0 =C2=A0if (attr->name_len && -=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0 le16_to_cpu(attr->name_off) + sizeof= (short) * attr->name_len > -=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0 le16_to_cpu(attr-= >nres.run_off)) { +=C2=A0=C2=A0 =C2=A0/* Check nonresident fields. */ +=C2=A0=C2=A0 =C2=A0if (attr->non_res !=3D 1) +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; + +=C2=A0=C2=A0 =C2=A0t16 =3D le16_to_cpu(attr->nres.run_off); +=C2=A0=C2=A0 =C2=A0if (t16 > asize) +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; + +=C2=A0=C2=A0 =C2=A0t32 =3D sizeof(short) * attr->name_len; +=C2=A0=C2=A0 =C2=A0if (t32 && le16_to_cpu(attr->name_off) + t32 > t16) +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; + +=C2=A0=C2=A0 =C2=A0/* Check start/end vcn. */ +=C2=A0=C2=A0 =C2=A0if (le64_to_cpu(attr->nres.svcn) > le64_to_cpu(attr->nr= es.evcn) + 1) +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; + +=C2=A0=C2=A0 =C2=A0data_size =3D le64_to_cpu(attr->nres.data_size); +=C2=A0=C2=A0 =C2=A0if (le64_to_cpu(attr->nres.valid_size) > data_size) =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; -=C2=A0=C2=A0 =C2=A0} -=C2=A0=C2=A0 =C2=A0if (attr->nres.svcn || !is_attr_ext(attr)) { +=C2=A0=C2=A0 =C2=A0alloc_size =3D le64_to_cpu(attr->nres.alloc_size); +=C2=A0=C2=A0 =C2=A0if (data_size > alloc_size) +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; + +=C2=A0=C2=A0 =C2=A0t32 =3D mi->sbi->cluster_mask; +=C2=A0=C2=A0 =C2=A0if (alloc_size & t32) +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; + +=C2=A0=C2=A0 =C2=A0if (!attr->nres.svcn && is_attr_ext(attr)) { +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0/* First segment of sparse/compresse= d attribute */ +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0if (asize + 8 < SIZEOF_NONRESIDENT_E= X) +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; + +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0tot_size =3D le64_to_cpu(attr->nres.= total_size); +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0if (tot_size & t32) +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; + +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0if (tot_size > alloc_size) +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; +=C2=A0=C2=A0 =C2=A0} else { =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0if (asize + 8 < SIZEOF_NONRESI= DENT) =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0if (attr->nres.c_unit) =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; -=C2=A0=C2=A0 =C2=A0} else if (asize + 8 < SIZEOF_NONRESIDENT_EX) -=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0return NULL; +=C2=A0=C2=A0 =C2=A0} =C2=A0=C2=A0=C2=A0 =C2=A0return attr; =C2=A0} --=20 2.34.1