Commit 34e6552a authored by Pavel Skripkin's avatar Pavel Skripkin Committed by Konstantin Komarov

fs/ntfs3: Fix OOB read in ntfs_init_from_boot

Syzbot was able to create a device which has the last sector of size
512.

After failing to boot from initial sector, reading from boot info from
offset 511 causes OOB read.

To prevent such reports add sanity check to validate if size of buffer_head
if big enough to hold ntfs3 bootinfo

Fixes: 6a4cd3ea ("fs/ntfs3: Alternative boot if primary boot is corrupted")
Reported-by: syzbot+53ce40c8c0322c06aea5@syzkaller.appspotmail.com
Signed-off-by: default avatarPavel Skripkin <paskripkin@gmail.com>
Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
parent 8e7e27b2
...@@ -878,6 +878,11 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, ...@@ -878,6 +878,11 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size,
check_boot: check_boot:
err = -EINVAL; err = -EINVAL;
/* Corrupted image; do not read OOB */
if (bh->b_size - sizeof(*boot) < boot_off)
goto out;
boot = (struct NTFS_BOOT *)Add2Ptr(bh->b_data, boot_off); boot = (struct NTFS_BOOT *)Add2Ptr(bh->b_data, boot_off);
if (memcmp(boot->system_id, "NTFS ", sizeof("NTFS ") - 1)) { if (memcmp(boot->system_id, "NTFS ", sizeof("NTFS ") - 1)) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment