Skip to content

Commit

Permalink
fs/ntfs3: Fix OOB read in ntfs_init_from_boot
Browse files Browse the repository at this point in the history 
Syzbot was able to create a device which has the last sector of size
512.

After failing to boot from initial sector, reading from boot info from
offset 511 causes OOB read.

To prevent such reports add sanity check to validate if size of buffer_head
if big enough to hold ntfs3 bootinfo

Fixes: 6a4cd3e ("fs/ntfs3: Alternative boot if primary boot is corrupted")
Reported-by: syzbot+53ce40c8c0322c06aea5@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
  • Loading branch information
Pavel Skripkin authored and Konstantin Komarov committed Sep 28, 2023
1 parent 8e7e27b commit 34e6552
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions fs/ntfs3/super.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -878,6 +878,11 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size,

check_boot:
err = -EINVAL;

/* Corrupted image; do not read OOB */
if (bh->b_size - sizeof(*boot) < boot_off)
goto out;

boot = (struct NTFS_BOOT *)Add2Ptr(bh->b_data, boot_off);

if (memcmp(boot->system_id, "NTFS ", sizeof("NTFS ") - 1)) {
Expand Down

0 comments on commit 34e6552

Please sign in to comment.