Re: [syzbot] kernel BUG in ntfs_read_inode_mount

[Pavel Skripkin]

On 1/17/22 22:02, Pavel Skripkin wrote:
> On 1/17/22 13:09, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    d0a231f01e5b Merge tag 'pci-v5.17-changes' of git://git.ke..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=11f83837b00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=986ed422f1741853
> > dashboard link: https://syzkaller.appspot.com/bug?extid=3c765c5248797356edaa
> > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
>
> Sad :(
>
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+3c765c5248797356edaa@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> __ntfs_malloc() calls BUG_ON() in case of requested size is equal to
> zero. Seems like syzbot has once again crafted malicious fs image that
> has attr_list_size == 0
>
> Just for thoughts

Clicked 'Send' button too early, sorry

With regards,
Pavel Skripkin

diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
index f5c058b3192c..a93fc3dbd4fd 100644
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -1881,6 +1881,9 @@ int ntfs_read_inode_mount(struct inode *vi)
 		}
 		/* Now allocate memory for the attribute list. */
 		ni->attr_list_size = (u32)ntfs_attr_size(a);
+		if (ni->attr_list_size == 0)
+			goto put_err_out;
+
 		ni->attr_list = ntfs_malloc_nofs(ni->attr_list_size);
 		if (!ni->attr_list) {
 			ntfs_error(sb, "Not enough memory to allocate buffer "