11:32 p.m.
From: eadaivs <eadaivs(a)sina.com>
1) If we call find_ea() if "bytes" less than 8 then the
unpacked_ea_size() is an out of bounds read.
2) The *off + unpacked_ea_size() can have an integer overflow.
Link: https://syzkaller.appspot.com/bug?extid=c4d950787fd5553287b7
Reported-by: syzbot+c4d950787fd5553287b7(a)syzkaller.appspotmail.com
Signed-off-by: eadaivs <eadaivs(a)sina.com>
---
Changes in v4:
Separate out the issue with the buffer overflow and the integer
overflow.
fs/ntfs3/xattr.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
index afd0ddad826f..3cd1a24c7bcc 100644
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -41,17 +41,23 @@ static inline size_t packed_ea_size(const struct EA_FULL *ea)
*
* Assume there is at least one xattr in the list.
*/
-static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
+static inline bool find_ea(const struct EA_FULL *ea_all, size_t bytes,
const char *name, u8 name_len, u32 *off)
{
+ const struct EA_FULL *ea;
+ u32 next_off;
*off = 0;
- if (!ea_all || !bytes)
+ if (!ea_all || bytes < sizeof(*ea))
return false;
for (;;) {
- const struct EA_FULL *ea = Add2Ptr(ea_all, *off);
- u32 next_off = *off + unpacked_ea_size(ea);
+ *ea = Add2Ptr(ea_all, *off);
+
+ if (sizeof(*ea) + *off > bytes)
+ return false;
+
+ next_off = size_add(*off, unpacked_ea_size(ea));
if (next_off > bytes)
return false;
@@ -61,8 +67,6 @@ static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
return true;
*off = next_off;
- if (next_off >= bytes)
- return false;
}
}
--
2.37.2