1. Patchew
  2. linux
  3. View series

[PATCH v2] adfs: validate nzones in adfs_validate_bblk()

paeyz posted 1 patch 2 weeks ago
There is a newer version of this series
fs/adfs/super.c | 3 +++
1 file changed, 3 insertions(+)
[PATCH v2] adfs: validate nzones in adfs_validate_bblk()
Posted by paeyz 2 weeks ago 
From: Bae Yeonju <iwasbaeyz@gmail.com>

Reject ADFS disc records with a zero zone count during boot block
validation, before the disc record is used.

When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, ...)
which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to
dm[-1], causing an out-of-bounds write before the allocated buffer.

adfs_validate_dr0() already rejects nzones != 1 for old-format
images.  Add the equivalent check to adfs_validate_bblk() for
new-format images so that a crafted image with nzones == 0 is
rejected at probe time.

Found by syzkaller.

Fixes: f6f14a0d71b0 ("fs/adfs: map: move map-specific sb initialisation to map.c")
Tested-by: Bae Yeonju <iwasbaeyz@gmail.com>
Signed-off-by: Bae Yeonju <iwasbaeyz@gmail.com>
---
 fs/adfs/super.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/adfs/super.c b/fs/adfs/super.c
index 4d3015e3a..b5522b862 100644
--- a/fs/adfs/super.c
+++ b/fs/adfs/super.c
@@ -343,6 +343,9 @@ static int adfs_validate_bblk(struct super_block *sb, struct buffer_head *bh,
 	if (adfs_checkdiscrecord(dr))
 		return -EILSEQ;

+	if ((dr->nzones | dr->nzones_high << 8) == 0)
+		return -EILSEQ;
+
 	*drp = dr;
 	return 0;
 }
--
2.43.0
Re: [PATCH v2] adfs: validate nzones in adfs_validate_bblk()
Posted by Greg KH 2 weeks ago 
On Sat, Mar 21, 2026 at 12:52:13AM +0900, paeyz wrote:
> From: Bae Yeonju <iwasbaeyz@gmail.com>
> 
> Reject ADFS disc records with a zero zone count during boot block
> validation, before the disc record is used.
> 
> When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, ...)
> which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to
> dm[-1], causing an out-of-bounds write before the allocated buffer.
> 
> adfs_validate_dr0() already rejects nzones != 1 for old-format
> images.  Add the equivalent check to adfs_validate_bblk() for
> new-format images so that a crafted image with nzones == 0 is
> rejected at probe time.
> 
> Found by syzkaller.
> 
> Fixes: f6f14a0d71b0 ("fs/adfs: map: move map-specific sb initialisation to map.c")
> Tested-by: Bae Yeonju <iwasbaeyz@gmail.com>
> Signed-off-by: Bae Yeonju <iwasbaeyz@gmail.com>

Nit, no need for Tested-by if you sign off on the change :)

> ---
>  fs/adfs/super.c | 3 +++
>  1 file changed, 3 insertions(+)

The version info from what changed goes below the --- line.

Anyway, who takes adfs changes these days?  Russell do you?  There's no
MAINTAINERS entry that I can find.  If no one else, I can take it
through one of my trees.

thanks,

greg k-h
Re: [PATCH v2] adfs: validate nzones in adfs_validate_bblk()
Posted by Russell King (Oracle) 2 weeks ago 
On Fri, Mar 20, 2026 at 05:04:07PM +0100, Greg KH wrote:
> On Sat, Mar 21, 2026 at 12:52:13AM +0900, paeyz wrote:
> > From: Bae Yeonju <iwasbaeyz@gmail.com>
> > 
> > Reject ADFS disc records with a zero zone count during boot block
> > validation, before the disc record is used.
> > 
> > When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, ...)
> > which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to
> > dm[-1], causing an out-of-bounds write before the allocated buffer.
> > 
> > adfs_validate_dr0() already rejects nzones != 1 for old-format
> > images.  Add the equivalent check to adfs_validate_bblk() for
> > new-format images so that a crafted image with nzones == 0 is
> > rejected at probe time.
> > 
> > Found by syzkaller.
> > 
> > Fixes: f6f14a0d71b0 ("fs/adfs: map: move map-specific sb initialisation to map.c")
> > Tested-by: Bae Yeonju <iwasbaeyz@gmail.com>
> > Signed-off-by: Bae Yeonju <iwasbaeyz@gmail.com>
> 
> Nit, no need for Tested-by if you sign off on the change :)
> 
> > ---
> >  fs/adfs/super.c | 3 +++
> >  1 file changed, 3 insertions(+)
> 
> The version info from what changed goes below the --- line.
> 
> Anyway, who takes adfs changes these days?  Russell do you?  There's no
> MAINTAINERS entry that I can find.  If no one else, I can take it
> through one of my trees.

I have done, as I'm the author of this fs driver.

-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
Re: [PATCH v2] adfs: validate nzones in adfs_validate_bblk()
Posted by Greg KH 2 weeks ago 
On Fri, Mar 20, 2026 at 04:08:26PM +0000, Russell King (Oracle) wrote:
> On Fri, Mar 20, 2026 at 05:04:07PM +0100, Greg KH wrote:
> > On Sat, Mar 21, 2026 at 12:52:13AM +0900, paeyz wrote:
> > > From: Bae Yeonju <iwasbaeyz@gmail.com>
> > > 
> > > Reject ADFS disc records with a zero zone count during boot block
> > > validation, before the disc record is used.
> > > 
> > > When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, ...)
> > > which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to
> > > dm[-1], causing an out-of-bounds write before the allocated buffer.
> > > 
> > > adfs_validate_dr0() already rejects nzones != 1 for old-format
> > > images.  Add the equivalent check to adfs_validate_bblk() for
> > > new-format images so that a crafted image with nzones == 0 is
> > > rejected at probe time.
> > > 
> > > Found by syzkaller.
> > > 
> > > Fixes: f6f14a0d71b0 ("fs/adfs: map: move map-specific sb initialisation to map.c")
> > > Tested-by: Bae Yeonju <iwasbaeyz@gmail.com>
> > > Signed-off-by: Bae Yeonju <iwasbaeyz@gmail.com>
> > 
> > Nit, no need for Tested-by if you sign off on the change :)
> > 
> > > ---
> > >  fs/adfs/super.c | 3 +++
> > >  1 file changed, 3 insertions(+)
> > 
> > The version info from what changed goes below the --- line.
> > 
> > Anyway, who takes adfs changes these days?  Russell do you?  There's no
> > MAINTAINERS entry that I can find.  If no one else, I can take it
> > through one of my trees.
> 
> I have done, as I'm the author of this fs driver.

Great, thanks!

Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[PATCH v3] adfs: validate nzones in adfs_validate_bblk()
Posted by paeyz 1 week, 6 days ago 
From: Bae Yeonju <iwasbaeyz@gmail.com>

Reject ADFS disc records with a zero zone count during boot block
validation, before the disc record is used.

When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, ...)
which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to
dm[-1], causing an out-of-bounds write before the allocated buffer.

adfs_validate_dr0() already rejects nzones != 1 for old-format
images.  Add the equivalent check to adfs_validate_bblk() for
new-format images so that a crafted image with nzones == 0 is
rejected at probe time.

Found by syzkaller.

Fixes: f6f14a0d71b0 ("fs/adfs: map: move map-specific sb initialisation to map.c")
Signed-off-by: Bae Yeonju <iwasbaeyz@gmail.com>
---
Changes in v3:
  - Drop redundant Tested-by

Changes in v2:
  - Move check from adfs_read_map() to adfs_validate_bblk() (Russell King)

 fs/adfs/super.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/adfs/super.c b/fs/adfs/super.c
index 4d3015e3a..b5522b862 100644
--- a/fs/adfs/super.c
+++ b/fs/adfs/super.c
@@ -343,6 +343,9 @@ static int adfs_validate_bblk(struct super_block *sb, struct buffer_head *bh,
 	if (adfs_checkdiscrecord(dr))
 		return -EILSEQ;

+	if ((dr->nzones | dr->nzones_high << 8) == 0)
+		return -EILSEQ;
+
 	*drp = dr;
 	return 0;
 }
--
2.43.0

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.