When mounting, if Attribute data is correupted, doing named attribute
lookup can lead to invalid memory access. This is reported by syzkaller.
This patch adds a sanity check prior to attribute name lookup. If attribute's
name_offset is invalid, It will mark volume error and return -EIO.
Reported-by: syzbot+ecbcf37464c627253...@syzkaller.appspotmail.com
Signed-off-by: Fox Chen <foxhlc...@gmail.com>
---
fs/ntfs/attrib.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c
index d563abc3e136..e7366f74ff62 100644
--- a/fs/ntfs/attrib.c
+++ b/fs/ntfs/attrib.c
@@ -607,6 +607,16 @@ static int ntfs_attr_find(const ATTR_TYPE type, const
ntfschar *name,
* If @name is present, compare the two names. If @name is
* missing, assume we want an unnamed attribute.
*/
+
+ /*
+ * Sanity check, a->name_offset should be within the range of
a->lengh,
+ */
+ if (name && ((u8*)a + le16_to_cpu(a->name_offset)) > ((u8*)a +
le32_to_cpu(a->length))) {
+ ntfs_error(vol->sb, "Invalid Attribute Name. Inode is
corrupt. Run chkdsk.");
+ NVolSetErrors(vol);
+ return -EIO;
+ }
+
if (!name) {
/* The search failed if the found attribute is named. */
if (a->name_length)
--
2.25.1
