9:19 p.m.
From: Edward Adam Davis <eadavis(a)sina.com>
the root cause is:
The remaining space after the offset is less than the space needed to
accommodate the next EA_FULL struct.
Link: https://syzkaller.appspot.com/bug?extid=c4d950787fd5553287b7
Reported-by: syzbot+c4d950787fd5553287b7(a)syzkaller.appspotmail.com
Suggested-by: Dan Carpenter <dan.carpenter(a)oracle.com>
Signed-off-by: Edward Adam Davis <eadavis(a)sina.com>
---
Changes in v3:
Add Suggested-by: and fix the syntax err.
fs/ntfs3/xattr.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
index 7de8718c68a9..c90cc453390d 100644
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -52,6 +52,7 @@ static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
for (;;) {
const struct EA_FULL *ea = Add2Ptr(ea_all, *off);
u32 next_off = *off + unpacked_ea_size(ea);
+ u32 next_len = 0;
if (next_off > bytes)
return false;
@@ -63,6 +64,13 @@ static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
*off = next_off;
if (next_off >= bytes)
return false;
+
+ next_len = next_off + 8;
+ if (next_len >= bytes ||
+ ((!ea->size) &&
+ (next_len + ea->name_len +
+ le16_to_cpu(ea->elength) >= bytes)))
+ return false;
}
}
--
2.37.2