[PATCH 6.1.y] fs/ntfs3: Fixed overflow check in mi_enum_attr()

From: Nikita Zhandarovich
Date: Sat Nov 30 2024 - 10:58:48 EST

Next message: Ming Lei: "Re: [syzbot] [block?] [trace?] possible deadlock in do_page_mkwrite (2)"
Previous message: Dan Carpenter: "drivers/net/wireless/st/cw1200/cw1200_spi.c:440 cw1200_spi_disconnect() error: we previously assumed 'self' could be null (see line 433)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Konstantin Komarov <almaz.alexandrovich@xxxxxxxxxxxxxxxxxxxx>

[ Upstream commit 652cfeb43d6b9aba5c7c4902bed7a7340df131fb ]

Reported-by: Robert Morris <rtm@xxxxxxxxxxxxx>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@xxxxxxxxxxxxxxxxxxxx>
[Nikita: Fix for CVE-2024-27407 in 6.1.y. No changes were made
to get it to apply to older branch.]
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@xxxxxxxxxx>
---
fs/ntfs3/record.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c
index 7ab452710572..826a756669a3 100644
--- a/fs/ntfs3/record.c
+++ b/fs/ntfs3/record.c
@@ -273,7 +273,7 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr)
if (t16 > asize)
return NULL;

- if (t16 + le32_to_cpu(attr->res.data_size) > asize)
+ if (le32_to_cpu(attr->res.data_size) > asize - t16)
return NULL;

if (attr->name_len &&
--
2.25.1

Next message: Ming Lei: "Re: [syzbot] [block?] [trace?] possible deadlock in do_page_mkwrite (2)"
Previous message: Dan Carpenter: "drivers/net/wireless/st/cw1200/cw1200_spi.c:440 cw1200_spi_disconnect() error: we previously assumed 'self' could be null (see line 433)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]