ntfs: add check for mft record size in superblock

Number of bytes allocated for mft record should be equal to the mft record size stored in ntfs superblock as reported by syzbot, userspace might trigger out-of-bounds read by dereferencing ctx->attr in ntfs_attr_find() Reported-by: [email protected] Signed-off-by: Rustam Kovhaev <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Tested-by: [email protected] Acked-by: Anton Altaparmakov <[email protected]> Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Linus Torvalds <[email protected]>
josf · Oct 14, 2020 · 4f8c940 · 4f8c940
1 parent d72e720
commit 4f8c940
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
@@ -1810,6 +1810,12 @@ int ntfs_read_inode_mount(struct inode *vi)
 		brelse(bh);
 	}
 
+	if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) {
+		ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.",
+				le32_to_cpu(m->bytes_allocated), vol->mft_record_size);
+		goto err_out;
+	}
+
 	/* Apply the mst fixups. */
 	if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) {
 		/* FIXME: Try to use the $MFTMirr now. */