Skip to content

Commit c114d2b

Browse files
aalexandrovichgregkh
aalexandrovich
authored and
gregkh
committed
fs/ntfs3: Add a check for attr_names and oatbl
commit 702d493 upstream. Added out-of-bound checking for *ane (ATTR_NAME_ENTRY). Reported-by: lei lu <llfamsec@gmail.com> Fixes: 865e7a7 ("fs/ntfs3: Reduce stack usage") Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent f4435f4 commit c114d2b

1 file changed

Lines changed: 32 additions & 6 deletions

File tree

fs/ntfs3/fslog.c

Lines changed: 32 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3722,6 +3722,8 @@ int log_replay(struct ntfs_inode *ni, bool *initialized)
37223722

37233723
u64 rec_lsn, checkpt_lsn = 0, rlsn = 0;
37243724
struct ATTR_NAME_ENTRY *attr_names = NULL;
3725+
u32 attr_names_bytes = 0;
3726+
u32 oatbl_bytes = 0;
37253727
struct RESTART_TABLE *dptbl = NULL;
37263728
struct RESTART_TABLE *trtbl = NULL;
37273729
const struct RESTART_TABLE *rt;
@@ -3736,6 +3738,7 @@ int log_replay(struct ntfs_inode *ni, bool *initialized)
37363738
struct NTFS_RESTART *rst = NULL;
37373739
struct lcb *lcb = NULL;
37383740
struct OPEN_ATTR_ENRTY *oe;
3741+
struct ATTR_NAME_ENTRY *ane;
37393742
struct TRANSACTION_ENTRY *tr;
37403743
struct DIR_PAGE_ENTRY *dp;
37413744
u32 i, bytes_per_attr_entry;
@@ -4314,17 +4317,40 @@ int log_replay(struct ntfs_inode *ni, bool *initialized)
43144317
lcb = NULL;
43154318

43164319
check_attribute_names2:
4317-
if (rst->attr_names_len && oatbl) {
4318-
struct ATTR_NAME_ENTRY *ane = attr_names;
4319-
while (ane->off) {
4320+
if (attr_names && oatbl) {
4321+
off = 0;
4322+
for (;;) {
4323+
/* Check we can use attribute name entry 'ane'. */
4324+
static_assert(sizeof(*ane) == 4);
4325+
if (off + sizeof(*ane) > attr_names_bytes) {
4326+
/* just ignore the rest. */
4327+
break;
4328+
}
4329+
4330+
ane = Add2Ptr(attr_names, off);
4331+
t16 = le16_to_cpu(ane->off);
4332+
if (!t16) {
4333+
/* this is the only valid exit. */
4334+
break;
4335+
}
4336+
4337+
/* Check we can use open attribute entry 'oe'. */
4338+
if (t16 + sizeof(*oe) > oatbl_bytes) {
4339+
/* just ignore the rest. */
4340+
break;
4341+
}
4342+
43204343
/* TODO: Clear table on exit! */
4321-
oe = Add2Ptr(oatbl, le16_to_cpu(ane->off));
4344+
oe = Add2Ptr(oatbl, t16);
43224345
t16 = le16_to_cpu(ane->name_bytes);
4346+
off += t16 + sizeof(*ane);
4347+
if (off > attr_names_bytes) {
4348+
/* just ignore the rest. */
4349+
break;
4350+
}
43234351
oe->name_len = t16 / sizeof(short);
43244352
oe->ptr = ane->name;
43254353
oe->is_attr_name = 2;
4326-
ane = Add2Ptr(ane,
4327-
sizeof(struct ATTR_NAME_ENTRY) + t16);
43284354
}
43294355
}
43304356

0 commit comments

Comments
 (0)