tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ntfs: remove redundant out-of-bound checks

Remove redundant out-of-bounds validations.
Since ntfs_attr_find and ntfs_external_attr_find
now validate the attribute value offsets and
lengths against the bounds of the MFT record block,
performing subsequent bounds checking in caller
functions like ntfs_attr_lookup is no longer necessary.

Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

authored by

Hyunchul Lee and committed by
Namjae Jeon 14f0a13e a198a0c4

-42
-28
fs/ntfs/inode.c
··· 757 757 } 758 758 a = ctx->attr; 759 759 /* Get the standard information attribute value. */ 760 - if ((u8 *)a + le16_to_cpu(a->data.resident.value_offset) 761 - + le32_to_cpu(a->data.resident.value_length) > 762 - (u8 *)ctx->mrec + vol->mft_record_size) { 763 - ntfs_error(vi->i_sb, "Corrupt standard information attribute in inode."); 764 - goto unm_err_out; 765 - } 766 760 si = (struct standard_information *)((u8 *)a + 767 761 le16_to_cpu(a->data.resident.value_offset)); 768 762 ··· 843 849 goto unm_err_out; 844 850 } 845 851 } else /* if (!a->non_resident) */ { 846 - if ((u8 *)a + le16_to_cpu(a->data.resident.value_offset) 847 - + le32_to_cpu( 848 - a->data.resident.value_length) > 849 - (u8 *)ctx->mrec + vol->mft_record_size) { 850 - ntfs_error(vi->i_sb, "Corrupt attribute list in inode."); 851 - goto unm_err_out; 852 - } 853 852 /* Now copy the attribute list. */ 854 853 memcpy(ni->attr_list, (u8 *)a + le16_to_cpu( 855 854 a->data.resident.value_offset), ··· 941 954 ir = (struct index_root *)((u8 *)a + 942 955 le16_to_cpu(a->data.resident.value_offset)); 943 956 ir_end = (u8 *)ir + le32_to_cpu(a->data.resident.value_length); 944 - if (ir_end > (u8 *)ctx->mrec + vol->mft_record_size) { 945 - ntfs_error(vi->i_sb, "$INDEX_ROOT attribute is corrupt."); 946 - goto unm_err_out; 947 - } 948 957 index_end = (u8 *)&ir->index + 949 958 le32_to_cpu(ir->index.index_length); 950 959 if (index_end > ir_end) { ··· 1535 1552 1536 1553 ir = (struct index_root *)((u8 *)a + le16_to_cpu(a->data.resident.value_offset)); 1537 1554 ir_end = (u8 *)ir + le32_to_cpu(a->data.resident.value_length); 1538 - if (ir_end > (u8 *)ctx->mrec + vol->mft_record_size) { 1539 - ntfs_error(vi->i_sb, "$INDEX_ROOT attribute is corrupt."); 1540 - goto unm_err_out; 1541 - } 1542 1555 index_end = (u8 *)&ir->index + le32_to_cpu(ir->index.index_length); 1543 1556 if (index_end > ir_end) { 1544 1557 ntfs_error(vi->i_sb, "Index is corrupt."); ··· 1978 1999 goto put_err_out; 1979 2000 } 1980 2001 } else /* if (!ctx.attr->non_resident) */ { 1981 - if ((u8 *)a + le16_to_cpu( 1982 - a->data.resident.value_offset) + 1983 - le32_to_cpu(a->data.resident.value_length) > 1984 - (u8 *)ctx->mrec + vol->mft_record_size) { 1985 - ntfs_error(sb, "Corrupt attribute list attribute."); 1986 - goto put_err_out; 1987 - } 1988 2002 /* Now copy the attribute list. */ 1989 2003 memcpy(ni->attr_list, (u8 *)a + le16_to_cpu( 1990 2004 a->data.resident.value_offset),
-8
fs/ntfs/namei.c
··· 274 274 } 275 275 do { 276 276 struct attr_record *a; 277 - u32 val_len; 278 277 279 278 err = ntfs_attr_lookup(AT_FILE_NAME, NULL, 0, 0, 0, 280 279 NULL, 0, ctx); ··· 288 289 a = ctx->attr; 289 290 if (a->non_resident || a->flags) 290 291 goto eio_err_out; 291 - val_len = le32_to_cpu(a->data.resident.value_length); 292 - if (le16_to_cpu(a->data.resident.value_offset) + 293 - val_len > le32_to_cpu(a->length)) 294 - goto eio_err_out; 295 292 fn = (struct file_name_attr *)((u8 *)ctx->attr + le16_to_cpu( 296 293 ctx->attr->data.resident.value_offset)); 297 - if ((u32)(fn->file_name_length * sizeof(__le16) + 298 - sizeof(struct file_name_attr)) > val_len) 299 - goto eio_err_out; 300 294 } while (fn->file_name_type != FILE_NAME_WIN32); 301 295 302 296 /* Convert the found WIN32 name to current NLS code page. */
-6
fs/ntfs/super.c
··· 1512 1512 1513 1513 if (ntfs_attr_lookup(AT_VOLUME_INFORMATION, NULL, 0, 0, 0, NULL, 0, 1514 1514 ctx) || ctx->attr->non_resident || ctx->attr->flags) { 1515 - err_put_vol: 1516 1515 ntfs_attr_put_search_ctx(ctx); 1517 1516 get_ctx_vol_failed: 1518 1517 unmap_mft_record(NTFS_I(vol->vol_ino)); ··· 1519 1520 } 1520 1521 vi = (struct volume_information *)((char *)ctx->attr + 1521 1522 le16_to_cpu(ctx->attr->data.resident.value_offset)); 1522 - /* Some bounds checks. */ 1523 - if ((u8 *)vi < (u8 *)ctx->attr || (u8 *)vi + 1524 - le32_to_cpu(ctx->attr->data.resident.value_length) > 1525 - (u8 *)ctx->attr + le32_to_cpu(ctx->attr->length)) 1526 - goto err_put_vol; 1527 1523 /* Copy the volume flags and version to the struct ntfs_volume structure. */ 1528 1524 vol->vol_flags = vi->flags; 1529 1525 vol->major_ver = vi->major_ver;