Re: [PATCH] adfs: validate nzones in adfs_read_map()

Next message: Mark Brown: "Re: [PATCH] ASoC: SOF: topology: reject invalid vendor array size in token parser"
Previous message: SeongJae Park: "[PATCH v2] mm/damon/core: document damos_commit_dests() failure semantics"
In reply to: Greg Kroah-Hartman: "[PATCH] adfs: validate nzones in adfs_read_map()"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH] adfs: validate nzones in adfs_read_map()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Russell King (Oracle)

Date: Fri Mar 20 2026 - 10:37:55 EST

On Fri, Mar 20, 2026 at 03:23:56PM +0100, Greg Kroah-Hartman wrote:
> From: Bae Yeonju <iwasbaeyz@xxxxxxxxx>
>
> adfs_read_map() reads the zone count from the on-disk disc record
> without validation:
>
> nzones = dr->nzones | dr->nzones_high << 8;
>
> When nzones is 0, the subsequent kmalloc_array(0, ...) returns
> ZERO_SIZE_PTR (0x10), and adfs_map_layout() writes to dm[-1],
> causing an out-of-bounds write before the allocated buffer.
>
> This can be triggered by mounting a crafted ADFS filesystem image
> with nzones set to 0 in the disc record. It leads to kernel heap
> corruption and a NULL pointer dereference during mount.
>
> Add a check to reject disc records with nzones == 0 before the
> allocation.
>
> Found by syzkaller.

I didn't see this patch.

This is a silly place to put the check - it should be done while
validating the disc record, in adfs_validate_bblk(), not when trying
to use it.

Note that adfs_validate_dr0() already validates the number of zones.

--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!