- 14 Nov, 2022 21 commits
-
-
Konstantin Komarov authored
Added new function wnd_set_used_safe. Load $BadClus before $AttrDef instead of before $Bitmap. Signed-off-by:Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
-
Konstantin Komarov authored
We need to check used bytes instead of total. Signed-off-by: -
Konstantin Komarov authored
This way code will be more readable. Signed-off-by: -
Konstantin Komarov authored
We need to update ctime too with mode. Fixes xfstest generic/307 Signed-off-by: -
Konstantin Komarov authored
Added new functions index_hdr_check and index_buf_check. Now we check all stuff for correctness while reading from disk. Also fixed bug with stale nfs data. Reported-by:
van fantasy <g1042620637@gmail.com> Signed-off-by:
-
Konstantin Komarov authored
zlen in some cases was bigger than correct value. Signed-off-by: -
Konstantin Komarov authored
Added new function ntfs_check_for_free_space. Added undo mechanism in attr_data_get_block. Fixes xfstest generic/083 Signed-off-by: -
Konstantin Komarov authored
In some cases we can be in deadlock because we tried to lock the same dir. Signed-off-by: -
Konstantin Komarov authored
There were 2 problems: - in some cases we lost dirty flag; - cluster allocation can be called even when it wasn't needed. Fixes xfstest generic/465 Signed-off-by: -
Konstantin Komarov authored
Added ntfs_atomic_open function. Relaxed locking in ntfs_create_inode. Signed-off-by: -
Konstantin Komarov authored
Also simplifying code. Signed-off-by: -
Konstantin Komarov authored
Remove ntfs_sparse_cluster. Zero clusters in attr_allocate_clusters. Fixes xfstest generic/263 Signed-off-by: -
Konstantin Komarov authored
Simplify logic in ntfs_extend_initialized_size, ntfs_sparse_cluster and ntfs_fallocate. Signed-off-by: -
Konstantin Komarov authored
Make err assignment in one place. Signed-off-by: -
Konstantin Komarov authored
Removed attr_must_be_resident and ntfs_query_def. Signed-off-by: -
Konstantin Komarov authored
Fixing various problems, detected by sparse. Signed-off-by: -
Konstantin Komarov authored
Added ntfs_bitmap_weight_le function. Changed argument types of bits/bitmap functions. Signed-off-by: -
Thomas Kühnel authored
The functions from bitops.h already have _le variants so use them to prevent invalid reads/writes of the bitmap on big endian systems. Signed-off-by:
Thomas Kühnel <thomas.kuehnel@avm.de> Signed-off-by:
-
Thomas Kühnel authored
__bitmap_set/__bitmap_clear only works with bitmaps in CPU order. Define a variant of these functions in ntfs3 to handle modifying bitmaps read from the filesystem. Signed-off-by:
Nicolas Schier <n.schier@avm.de> Signed-off-by:
-
Thomas Kühnel authored
ni_fname_name called ntfs_cmp_names_cpu which assumes that the first string is in CPU byte order and the second one in little endian. In this case both strings are little endian so ntfs_cmp_names is the correct function to call. Signed-off-by:
-
Yin Xiujiang authored
When PAGE_SIZE is 64K, if read_log_page is called by log_read_rst for the first time, the size of *buffer would be equal to DefaultLogPageSize(4K).But for *buffer operations like memcpy, if the memory area size(n) which being assigned to buffer is larger than 4K (log->page_size(64K) or bytes(64K-page_off)), it will cause an out of boundary error. Call trace: [...] kasan_report+0x44/0x130 check_memory_region+0xf8/0x1a0 memcpy+0xc8/0x100 ntfs_read_run_nb+0x20c/0x460 read_log_page+0xd0/0x1f4 log_read_rst+0x110/0x75c log_replay+0x1e8/0x4aa0 ntfs_loadlog_and_replay+0x290/0x2d0 ntfs_fill_super+0x508/0xec0 get_tree_bdev+0x1fc/0x34c [...] Fix this by setting variable r_page to NULL in log_read_rst. Signed-off-by:
Yin Xiujiang <yinxiujiang@kylinos.cn> Signed-off-by:
-
- 12 Nov, 2022 16 commits
-
-
Dan Carpenter authored
There were two patches which addressed the same bug and added the same condition: commit 6db62086 ("fs/ntfs3: Validate data run offset") commit 887bfc54 ("fs/ntfs3: Fix slab-out-of-bounds read in run_unpack") Delete one condition. Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Daniel Pinto authored
Add documentation for system.ntfs_attrib_be extended attribute. Signed-off-by:
Daniel Pinto <danielpinto52@gmail.com> Signed-off-by:
-
Daniel Pinto authored
NTFS-3G provides the system.ntfs_attrib_be extended attribute, which has the same value as system.ntfs_attrib but represented in big-endian. Some utilities rely on the existence of this extended attribute. Improves compatibility with NTFS-3G by adding the system.ntfs_attrib_be extended attribute. Signed-off-by:
-
Daniel Pinto authored
The hidedotfiles mount option provides the same functionality as the NTFS-3G hide_dot_files mount option. As such, it should be named the same for compatibility with NTGS-3G. Rename the hidedotfiles to hide_dot_files for compatbility with NTFS-3G. Signed-off-by:
-
Daniel Pinto authored
Add documentation for the hidedotfiles mount option. Signed-off-by:
-
Daniel Pinto authored
Currently, the ntfs3 driver does return the hidedotfiles mount option in the list of enabled mount options. This can confuse users who may doubt they enabled the option when not seeing in the list provided by the mount command. Add hidedotfiles mount option to the list of enabled options provided by the mount command when it is enabled. Signed-off-by:
-
Daniel Pinto authored
Currently, the hidedotfiles mount option only has an effect when creating new files. Removing or adding the starting dot when moving or renaming files does not update the hidden attribute. Make hidedotfiles also set or uset the hidden attribute when a file gains or loses its starting dot by being moved or renamed. Signed-off-by:
-
Daniel Pinto authored
Currently, the hidedotfiles mount option is behaving in the reverse way of what would be expected: enabling it disables setting the hidden attribute on files or directories with names starting with a dot and disabling it enables the setting. Reverse the behaviour of the hidedotfiles mount option so it matches what is expected. Signed-off-by:
-
Daniel Pinto authored
Add documentation for windows_names mount option. Signed-off-by:
-
Daniel Pinto authored
When enabled, the windows_names mount option prevents the creation of files or directories with names not allowed by Windows. Use the same option name as NTFS-3G for compatibility. Signed-off-by:
-
Nathan Chancellor authored
'a == b ? 0 : 1' is logically equivalent to 'a != b'. Suggested-by:
Nick Desaulniers <ndesaulniers@google.com> Signed-off-by:
Nathan Chancellor <nathan@kernel.org> Signed-off-by:
-
Abdun Nihaal authored
The data_size and valid_size fields of non resident attributes should be less than the its alloc_size field, but this is not checked in ntfs_read_mft function. Syzbot reports a allocation order warning due to a large unchecked value of data_size getting assigned to inode->i_size which is then passed to kcalloc. Add sanity check for ensuring that the data_size and valid_size fields are not larger than alloc_size field. Link: https://syzkaller.appspot.com/bug?extid=fa4648a5446460b7b963 Reported-and-tested-by: syzbot+fa4648a5446460b7b963@syzkaller.appspotmail.com Fixes: (82cae269) fs/ntfs3: Add initialization of super block Signed-off-by:
Abdun Nihaal <abdun.nihaal@gmail.com> Signed-off-by:
-
Tetsuo Handa authored
syzbot is reporting too large allocation at ntfs_fill_super() [1], for a crafted filesystem can contain bogus inode->i_size. Add __GFP_NOWARN in order to avoid too large allocation warning, than exhausting memory by using kvmalloc(). Link: https://syzkaller.appspot.com/bug?extid=33f3faaa0c08744f7d40 [1] Reported-by:
syzot <syzbot+33f3faaa0c08744f7d40@syzkaller.appspotmail.com> Signed-off-by:
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by:
-
Tetsuo Handa authored
syzbot is reporting too large allocation at wnd_init() [1], for a crafted filesystem can become wnd->nwnd close to UINT_MAX. Add __GFP_NOWARN in order to avoid too large allocation warning, than exhausting memory by using kvcalloc(). Link: https://syzkaller.appspot.com/bug?extid=fa4648a5446460b7b963 [1] Reported-by:
syzot <syzbot+fa4648a5446460b7b963@syzkaller.appspotmail.com> Signed-off-by:
-
Abdun Nihaal authored
Syzbot reports an out of bound access in ntfs_trim_fs. The cause of this is using a loop termination condition that compares window index (iw) with wnd->nbits instead of wnd->nwnd, due to which the index used for wnd->free_bits exceeds the size of the array allocated. Fix the loop condition. Fixes: 3f3b442b ("fs/ntfs3: Add bitmap") Link: https://syzkaller.appspot.com/bug?extid=b892240eac461e488d51 Reported-by: syzbot+b892240eac461e488d51@syzkaller.appspotmail.com Signed-off-by:
-
Edward Lo authored
This enhances the sanity check for $SDH and $SII while initializing NTFS security, guarantees these index root are legit. [ 162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320 [ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243 [ 162.460851] [ 162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42 [ 162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 162.462609] Call Trace: [ 162.462954] <TASK> [ 162.463276] dump_stack_lvl+0x49/0x63 [ 162.463822] print_report.cold+0xf5/0x689 [ 162.464608] ? unwind_get_return_address+0x3a/0x60 [ 162.465766] ? hdr_find_e.isra.0+0x10c/0x320 [ 162.466975] kasan_report+0xa7/0x130 [ 162.467506] ? _raw_spin_lock_irq+0xc0/0xf0 [ 162.467998] ? hdr_find_e.isra.0+0x10c/0x320 [ 162.468536] __asan_load2+0x68/0x90 [ 162.468923] hdr_find_e.isra.0+0x10c/0x320 [ 162.469282] ? cmp_uints+0xe0/0xe0 [ 162.469557] ? cmp_sdh+0x90/0x90 [ 162.469864] ? ni_find_attr+0x214/0x300 [ 162.470217] ? ni_load_mi+0x80/0x80 [ 162.470479] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 162.470931] ? ntfs_bread_run+0x190/0x190 [ 162.471307] ? indx_get_root+0xe4/0x190 [ 162.471556] ? indx_get_root+0x140/0x190 [ 162.471833] ? indx_init+0x1e0/0x1e0 [ 162.472069] ? fnd_clear+0x115/0x140 [ 162.472363] ? _raw_spin_lock_irqsave+0x100/0x100 [ 162.472731] indx_find+0x184/0x470 [ 162.473461] ? sysvec_apic_timer_interrupt+0x57/0xc0 [ 162.474429] ? indx_find_buffer+0x2d0/0x2d0 [ 162.474704] ? do_syscall_64+0x3b/0x90 [ 162.474962] dir_search_u+0x196/0x2f0 [ 162.475381] ? ntfs_nls_to_utf16+0x450/0x450 [ 162.475661] ? ntfs_security_init+0x3d6/0x440 [ 162.475906] ? is_sd_valid+0x180/0x180 [ 162.476191] ntfs_extend_init+0x13f/0x2c0 [ 162.476496] ? ntfs_fix_post_read+0x130/0x130 [ 162.476861] ? iput.part.0+0x286/0x320 [ 162.477325] ntfs_fill_super+0x11e0/0x1b50 [ 162.477709] ? put_ntfs+0x1d0/0x1d0 [ 162.477970] ? vsprintf+0x20/0x20 [ 162.478258] ? set_blocksize+0x95/0x150 [ 162.478538] get_tree_bdev+0x232/0x370 [ 162.478789] ? put_ntfs+0x1d0/0x1d0 [ 162.479038] ntfs_fs_get_tree+0x15/0x20 [ 162.479374] vfs_get_tree+0x4c/0x130 [ 162.479729] path_mount+0x654/0xfe0 [ 162.480124] ? putname+0x80/0xa0 [ 162.480484] ? finish_automount+0x2e0/0x2e0 [ 162.480894] ? putname+0x80/0xa0 [ 162.481467] ? kmem_cache_free+0x1c4/0x440 [ 162.482280] ? putname+0x80/0xa0 [ 162.482714] do_mount+0xd6/0xf0 [ 162.483264] ? path_mount+0xfe0/0xfe0 [ 162.484782] ? __kasan_check_write+0x14/0x20 [ 162.485593] __x64_sys_mount+0xca/0x110 [ 162.486024] do_syscall_64+0x3b/0x90 [ 162.486543] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 162.487141] RIP: 0033:0x7f9d374e948a [ 162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a [ 162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0 [ 162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020 [ 162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0 [ 162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff [ 162.493644] </TASK> [ 162.493908] [ 162.494214] The buggy address belongs to the physical page: [ 162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc [ 162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) [ 162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000 [ 162.498928] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000 [ 162.500542] page dumped because: kasan: bad access detected [ 162.501057] [ 162.501242] Memory state around the buggy address: [ 162.502230] ffff8880037bc980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 162.502977] ffff8880037bca00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 162.503522] >ffff8880037bca80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 162.503963] ^ [ 162.504370] ffff8880037bcb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 162.504766] ffff8880037bcb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Signed-off-by:
Edward Lo <edward.lo@ambergroup.io> Signed-off-by:
-
- 26 Oct, 2022 1 commit
-
-
Nathan Chancellor authored
Clang warns: fs/ntfs3/namei.c:445:7: error: variable 'uni1' is used uninitialized whenever 'if' condition is true [-Werror,-Wsometimes-uninitialized] if (toupper(c1) != toupper(c2)) { ^~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/ctype.h:64:20: note: expanded from macro 'toupper' #define toupper(c) __toupper(c) ^ fs/ntfs3/namei.c:487:12: note: uninitialized use occurs here __putname(uni1); ^~~~ ./include/linux/fs.h:2789:65: note: expanded from macro '__putname' #define __putname(name) kmem_cache_free(names_cachep, (void *)(name)) ^~~~ fs/ntfs3/namei.c:445:3: note: remove the 'if' if its condition is always false if (toupper(c1) != toupper(c2)) { ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ fs/ntfs3/namei.c:434:7: error: variable 'uni1' is used uninitialized whenever 'if' condition is true [-Werror,-Wsometimes-uninitialized] if (!lm--) { ^~~~~ fs/ntfs3/namei.c:487:12: note: uninitialized use occurs here __putname(uni1); ^~~~ ./include/linux/fs.h:2789:65: note: expanded from macro '__putname' #define __putname(name) kmem_cache_free(names_cachep, (void *)(name)) ^~~~ fs/ntfs3/namei.c:434:3: note: remove the 'if' if its condition is always false if (!lm--) { ^~~~~~~~~~~~ fs/ntfs3/namei.c:430:22: note: initialize the variable 'uni1' to silence this warning struct cpu_str *uni1, *uni2; ^ = NULL 2 errors generated. There is no point in calling __putname() in these particular error paths, as there has been no corresponding __getname() call yet. Just return directly in these blocks to clear up the warning. Fixes: a3a956c7 ("fs/ntfs3: Add option "nocase"") Link: https://github.com/ClangBuiltLinux/linux/issues/1729Signed-off-by:
-
- 30 Sep, 2022 2 commits
-
-
Yuan Can authored
The way of determin attribute type is just matching name with the predefined string, do this with strcmp to simplify the code. Signed-off-by:
Yuan Can <yuancan@huawei.com> Signed-off-by:
-
Hawkins Jiawei authored
Syzkaller reports slab-out-of-bounds bug as follows: ================================================================== BUG: KASAN: slab-out-of-bounds in run_unpack+0x8b7/0x970 fs/ntfs3/run.c:944 Read of size 1 at addr ffff88801bbdff02 by task syz-executor131/3611 [...] Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 run_unpack+0x8b7/0x970 fs/ntfs3/run.c:944 run_unpack_ex+0xb0/0x7c0 fs/ntfs3/run.c:1057 ntfs_read_mft fs/ntfs3/inode.c:368 [inline] ntfs_iget5+0xc20/0x3280 fs/ntfs3/inode.c:501 ntfs_loadlog_and_replay+0x124/0x5d0 fs/ntfs3/fsntfs.c:272 ntfs_fill_super+0x1eff/0x37f0 fs/ntfs3/super.c:1018 get_tree_bdev+0x440/0x760 fs/super.c:1323 vfs_get_tree+0x89/0x2f0 fs/super.c:1530 do_new_mount fs/namespace.c:3040 [inline] path_mount+0x1326/0x1e20 fs/namespace.c:3370 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] </TASK> The buggy address belongs to the physical page: page:ffffea00006ef600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bbd8 head:ffffea00006ef600 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88801bbdfe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88801bbdfe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88801bbdff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88801bbdff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88801bbe0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Kernel will tries to read record and parse MFT from disk in ntfs_read_mft(). Yet the problem is that during enumerating attributes in record, kernel doesn't check whether run_off field loading from the disk is a valid value. To be more specific, if attr->nres.run_off is larger than attr->size, kernel will passes an invalid argument run_buf_size in run_unpack_ex(), which having an integer overflow. Then this invalid argument will triggers the slab-out-of-bounds Read bug as above. This patch solves it by adding the sanity check between the offset to packed runs and attribute size. link: https://lore.kernel.org/all/0000000000009145fc05e94bd5c3@google.com/#t Reported-and-tested-by: syzbot+8d6fbb27a6aded64b25b@syzkaller.appspotmail.com Signed-off-by:Hawkins Jiawei <yin31149@gmail.com> Signed-off-by:
-
