1. Patchew
  2. linux
  3. View series

[PATCH v4] ntfs : fix shift-out-of-bounds in ntfs_iget

Manas Ghandat posted 1 patch 2 years, 4 months ago
There is a newer version of this series
fs/ntfs/inode.c | 9 +++++++++
1 file changed, 9 insertions(+)
[PATCH v4] ntfs : fix shift-out-of-bounds in ntfs_iget
Posted by Manas Ghandat 2 years, 4 months ago 
Currently there is not check for ni->itype.compressed.block_size when
a->data.non_resident.compression_unit is present and NInoSparse(ni) is
true. Added the required check to calculation of block size.

Signed-off-by: Manas Ghandat <ghandatmanas@gmail.com>
Reported-by: syzbot+4768a8f039aa677897d0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4768a8f039aa677897d0
Fix-commit-ID: upstream f40ddce88593482919761f74910f42f4b84c004b
---
V3 -> V4: Fix description
V2 -> V3: Fix patching issue.
V1 -> V2: Cleaned up coding style.

 fs/ntfs/inode.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
index 6c3f38d66579..a657322874ed 100644
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -1077,6 +1077,15 @@ static int ntfs_read_locked_inode(struct inode *vi)
 					goto unm_err_out;
 				}
 				if (a->data.non_resident.compression_unit) {
+					if (a->data.non_resident.compression_unit +
+					vol->cluster_size_bits > 32) {
+						ntfs_error(vi->i_sb,
+						"Found non-standard compression unit (%u).   Cannot handle this.",
+						a->data.non_resident.compression_unit
+						);
+						err = -EOPNOTSUPP;
+						goto unm_err_out;
+					}
 					ni->itype.compressed.block_size = 1U <<
 							(a->data.non_resident.
 							compression_unit +
-- 
2.37.2
Re: [PATCH v4] ntfs : fix shift-out-of-bounds in ntfs_iget
Posted by Greg KH 2 years, 4 months ago 
On Sun, Aug 13, 2023 at 11:29:49AM +0530, Manas Ghandat wrote:
> Currently there is not check for ni->itype.compressed.block_size when
> a->data.non_resident.compression_unit is present and NInoSparse(ni) is
> true. Added the required check to calculation of block size.
> 
> Signed-off-by: Manas Ghandat <ghandatmanas@gmail.com>
> Reported-by: syzbot+4768a8f039aa677897d0@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=4768a8f039aa677897d0
> Fix-commit-ID: upstream f40ddce88593482919761f74910f42f4b84c004b

What is this last tag for?  That's a kernel release version, what can be
done with that?

confused,

greg k-h
Re: [PATCH v4] ntfs : fix shift-out-of-bounds in ntfs_iget
Posted by Manas Ghandat 2 years, 4 months ago 
Sorry for the last reply Greg. The last tag specifies the commit id. 
Also, I have sent the v5 of the patch in which I have made some critical 
changes. Please take a look at that.

On 17/08/23 00:45, Greg KH wrote:
> On Sun, Aug 13, 2023 at 11:29:49AM +0530, Manas Ghandat wrote:
>> Currently there is not check for ni->itype.compressed.block_size when
>> a->data.non_resident.compression_unit is present and NInoSparse(ni) is
>> true. Added the required check to calculation of block size.
>>
>> Signed-off-by: Manas Ghandat <ghandatmanas@gmail.com>
>> Reported-by: syzbot+4768a8f039aa677897d0@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=4768a8f039aa677897d0
>> Fix-commit-ID: upstream f40ddce88593482919761f74910f42f4b84c004b
> What is this last tag for?  That's a kernel release version, what can be
> done with that?
>
> confused,
>
> greg k-h
Re: [PATCH v4] ntfs : fix shift-out-of-bounds in ntfs_iget
Posted by Namjae Jeon 2 years, 3 months ago 
2023-08-18 15:34 GMT+09:00, Manas Ghandat <ghandatmanas@gmail.com>:
> Sorry for the last reply Greg. The last tag specifies the commit id.
> Also, I have sent the v5 of the patch in which I have made some critical
> changes. Please take a look at that.
Have you checked build error report from kernel test robot ?

>
> On 17/08/23 00:45, Greg KH wrote:
>> On Sun, Aug 13, 2023 at 11:29:49AM +0530, Manas Ghandat wrote:
>>> Currently there is not check for ni->itype.compressed.block_size when
>>> a->data.non_resident.compression_unit is present and NInoSparse(ni) is
>>> true. Added the required check to calculation of block size.
>>>
>>> Signed-off-by: Manas Ghandat <ghandatmanas@gmail.com>
>>> Reported-by: syzbot+4768a8f039aa677897d0@syzkaller.appspotmail.com
>>> Closes: https://syzkaller.appspot.com/bug?extid=4768a8f039aa677897d0
>>> Fix-commit-ID: upstream f40ddce88593482919761f74910f42f4b84c004b
>> What is this last tag for?  That's a kernel release version, what can be
>> done with that?
>>
>> confused,
>>
>> greg k-h
>
Re: [PATCH v4] ntfs : fix shift-out-of-bounds in ntfs_iget
Posted by Manas Ghandat 2 years, 3 months ago 
I was looking at this issue for some time now. As suggested by Anton, 
that the vol->sparse_compression_unit is set at the mount. I cannot seem 
to find the code for that part. It seems that the ntfs_inode struct does 
not have any sparse_compression_unit. So I am stuck at that part of the 
problem.

On 28/08/23 08:30, Namjae Jeon wrote:
> 2023-08-18 15:34 GMT+09:00, Manas Ghandat <ghandatmanas@gmail.com>:
>> Sorry for the last reply Greg. The last tag specifies the commit id.
>> Also, I have sent the v5 of the patch in which I have made some critical
>> changes. Please take a look at that.
> Have you checked build error report from kernel test robot ?
Re: [PATCH v4] ntfs : fix shift-out-of-bounds in ntfs_iget
Posted by Namjae Jeon 2 years, 4 months ago 
2023-08-13 14:59 GMT+09:00, Manas Ghandat <ghandatmanas@gmail.com>:
Hi,
> Currently there is not check for ni->itype.compressed.block_size when
> a->data.non_resident.compression_unit is present and NInoSparse(ni) is
> true. Added the required check to calculation of block size.
>
> Signed-off-by: Manas Ghandat <ghandatmanas@gmail.com>
> Reported-by: syzbot+4768a8f039aa677897d0@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=4768a8f039aa677897d0
> Fix-commit-ID: upstream f40ddce88593482919761f74910f42f4b84c004b
> ---
> V3 -> V4: Fix description
> V2 -> V3: Fix patching issue.
> V1 -> V2: Cleaned up coding style.
>
>  fs/ntfs/inode.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
> index 6c3f38d66579..a657322874ed 100644
> --- a/fs/ntfs/inode.c
> +++ b/fs/ntfs/inode.c
> @@ -1077,6 +1077,15 @@ static int ntfs_read_locked_inode(struct inode *vi)
>  					goto unm_err_out;
>  				}
>  				if (a->data.non_resident.compression_unit) {
> +					if (a->data.non_resident.compression_unit +
> +					vol->cluster_size_bits > 32) {
> +						ntfs_error(vi->i_sb,
> +						"Found non-standard compression unit (%u).   Cannot handle this.",
> +						a->data.non_resident.compression_unit
> +						);
> +						err = -EOPNOTSUPP;
> +						goto unm_err_out;
> +					}
compression_unit seems to be used when the ntfs inode is compressed.
And it should be either 0 or 4 value. So, I think we can set related
compression block variables of ntfs inode only when ni is
NInoCompressed like this... Anton, Am I missing something ?

diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
index efe0602b4e51..e5a7d81d575b 100644
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -1076,7 +1076,8 @@ static int ntfs_read_locked_inode(struct inode *vi)
                                        err = -EOPNOTSUPP;
                                        goto unm_err_out;
                                }
-                               if (a->data.non_resident.compression_unit) {
+                               if (NInoCompressed(ni) &&
+                                   a->data.non_resident.compression_unit) {
                                        ni->itype.compressed.block_size = 1U <<
                                                        (a->data.non_resident.
                                                        compression_unit +

>  					ni->itype.compressed.block_size = 1U <<
>  							(a->data.non_resident.
>  							compression_unit +
> --
> 2.37.2
>
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.