When mounting, if Attribute data is correupted, doing named attribute lookup can lead to invalid memory access. This is reported by syzkaller.
This patch adds a sanity check prior to attribute name lookup. If attribute's name_offset is invalid, It will mark volume error and return -EIO. Reported-by: syzbot+ecbcf37464c627253...@syzkaller.appspotmail.com Signed-off-by: Fox Chen <foxhlc...@gmail.com> --- fs/ntfs/attrib.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c index d563abc3e136..e7366f74ff62 100644 --- a/fs/ntfs/attrib.c +++ b/fs/ntfs/attrib.c @@ -607,6 +607,16 @@ static int ntfs_attr_find(const ATTR_TYPE type, const ntfschar *name, * If @name is present, compare the two names. If @name is * missing, assume we want an unnamed attribute. */ + + /* + * Sanity check, a->name_offset should be within the range of a->lengh, + */ + if (name && ((u8*)a + le16_to_cpu(a->name_offset)) > ((u8*)a + le32_to_cpu(a->length))) { + ntfs_error(vol->sb, "Invalid Attribute Name. Inode is corrupt. Run chkdsk."); + NVolSetErrors(vol); + return -EIO; + } + if (!name) { /* The search failed if the found attribute is named. */ if (a->name_length) -- 2.25.1