summaryrefslogtreecommitdiff
path: root/fs
diff options
context:
space:
mode:
authorPavel Skripkin <paskripkin@gmail.com>2023-07-13 22:41:46 +0300
committerKonstantin Komarov <almaz.alexandrovich@paragon-software.com>2023-09-28 15:04:05 +0300
commit34e6552a442f268eefd408e47f4f2d471aa64829 (patch)
tree52f713ca4d6e787f362dc661af08e572bc4af188 /fs
parent8e7e27b2ee1e19c4040d4987e345f678a74c0aed (diff)
fs/ntfs3: Fix OOB read in ntfs_init_from_boot
Syzbot was able to create a device which has the last sector of size 512. After failing to boot from initial sector, reading from boot info from offset 511 causes OOB read. To prevent such reports add sanity check to validate if size of buffer_head if big enough to hold ntfs3 bootinfo Fixes: 6a4cd3ea7d77 ("fs/ntfs3: Alternative boot if primary boot is corrupted") Reported-by: syzbot+53ce40c8c0322c06aea5@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/ntfs3/super.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index cf0a720523f0..5341ed80e2d2 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -878,6 +878,11 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size,
check_boot:
err = -EINVAL;
+
+ /* Corrupted image; do not read OOB */
+ if (bh->b_size - sizeof(*boot) < boot_off)
+ goto out;
+
boot = (struct NTFS_BOOT *)Add2Ptr(bh->b_data, boot_off);
if (memcmp(boot->system_id, "NTFS ", sizeof("NTFS ") - 1)) {