tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ntfs: fix VCN overflow in ntfs_mapping_pairs_decompress()

In ntfs_mapping_pairs_decompress(), lowest_vcn is read from
on-disk metadata and used as the initial vcn without validation.
A malformed value can introduce an invalid (e.g. negative) vcn,
corrupting the runlist from the start.

Additionally, the accumulation
vcn += deltaxcn

does not check for s64 overflow. A crafted mapping pairs array
can wrap vcn to a negative value, breaking the monotonically-
increasing invariant relied upon by ntfs_rl_vcn_to_lcn() and
related helpers.

Fix this by validating lowest_vcn and using check_add_overflow()
for vcn accumulation.

Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

authored by

Zhan Xusheng and committed by
Namjae Jeon cad7c6f0 2dd8c166

+21 -3
+21 -3
fs/ntfs/runlist.c
··· 15 15 * Copyright (c) 2007-2022 Jean-Pierre Andre 16 16 */ 17 17 18 + #include <linux/overflow.h> 19 + 18 20 #include "ntfs.h" 19 21 #include "attrib.h" 20 22 ··· 741 739 int rlsize; /* Size of runlist buffer. */ 742 740 u16 rlpos; /* Current runlist position in units of struct runlist_elements. */ 743 741 u8 b; /* Current byte offset in buf. */ 742 + u64 lowest_vcn; /* Raw on-disk lowest_vcn. */ 744 743 745 744 #ifdef DEBUG 746 745 /* Make sure attr exists and is non-resident. */ ··· 750 747 return ERR_PTR(-EINVAL); 751 748 } 752 749 #endif 750 + lowest_vcn = le64_to_cpu(attr->data.non_resident.lowest_vcn); 751 + /* Validate lowest_vcn from on-disk metadata to ensure it is sane. */ 752 + if (overflows_type(lowest_vcn, vcn)) { 753 + ntfs_error(vol->sb, "Invalid lowest_vcn in mapping pairs."); 754 + goto err_out; 755 + } 753 756 /* Start at vcn = lowest_vcn and lcn 0. */ 754 - vcn = le64_to_cpu(attr->data.non_resident.lowest_vcn); 757 + vcn = lowest_vcn; 755 758 lcn = 0; 756 759 /* Get start of the mapping pairs array. */ 757 760 buf = (u8 *)attr + ··· 832 823 * element. 833 824 */ 834 825 rl[rlpos].length = deltaxcn; 835 - /* Increment the current vcn by the current run length. */ 836 - vcn += deltaxcn; 826 + /* 827 + * Increment the current vcn by the current run length. 828 + * Guard against s64 overflow from a crafted mapping 829 + * pairs array to preserve the monotonically-increasing 830 + * vcn invariant. 831 + */ 832 + if (unlikely(check_add_overflow(vcn, deltaxcn, &vcn))) { 833 + ntfs_error(vol->sb, "VCN overflow in mapping pairs array."); 834 + goto err_out; 835 + } 836 + 837 837 /* 838 838 * There might be no lcn change at all, as is the case for 839 839 * sparse clusters on NTFS 3.0+, in which case we set the lcn