diff options
| author | Valeriy Yashnikov <yashnikov.valeriy@gmail.com> | 2026-07-04 19:38:57 +1000 |
|---|---|---|
| committer | Namjae Jeon <linkinjeon@kernel.org> | 2026-07-06 20:27:13 +0900 |
| commit | 5b6eedd7cc2936f9238e852b553a1b326105bde8 (patch) | |
| tree | f2eaf492aaec56bd6d3e7cf59fd78ed259f1d1e7 /rust/zerocopy/src/pointer/git@git.tavy.me:linux-stable.git | |
| parent | b8d6c528e9d57d263fee1a648409f84a68b2561d (diff) | |
ntfs: avoid calling post_write_mst_fixup() for invalid index_block
ntfs_icx_ib_sync_write() calls post_write_mst_fixup() when ntfs_ib_write()
returns an error, intending to restore the buffer after a failed write.
However, ntfs_ib_write() returns an error immediately if
pre_write_mst_fixup() validation fails. The caller,
ntfs_icx_ib_sync_write(), interprets any error as a write failure
requiring rollback. It does not differentiate between I/O errors and
validation failures, and calls post_write_mst_fixup() anyway.
Since post_write_mst_fixup() assumes that the index_block contents is
correct, it doesn't perform the boundary checks, which results in
out-of-bounds memory access.
An attacker can craft a malicious NTFS image with:
- large index_block.usa_ofs offset, pointing outside the ntfs_record
- index_block.usa_count = 0, causing integer underflow
- or index_block.usa_count larger than actual number of sectors in the
ntfs_record, causing out-of-bounds access
KASAN reports describing the memory corruption:
==================================================================
BUG: KASAN: slab-out-of-bounds in post_write_mst_fixup+0x19c/0x1d0
Read of size 2 at addr ffff8881586c9018 by task p/9428
Call Trace:
<TASK>
dump_stack_lvl+0x100/0x190
print_report+0x139/0x4ad
? post_write_mst_fixup+0x19c/0x1d0
? __virt_addr_valid+0x262/0x500
? post_write_mst_fixup+0x19c/0x1d0
kasan_report+0xe4/0x1d0
? post_write_mst_fixup+0x19c/0x1d0
post_write_mst_fixup+0x19c/0x1d0
ntfs_icx_ib_sync_write+0x179/0x220
ntfs_inode_sync_filename+0x83d/0x1080
__ntfs_write_inode+0x1049/0x1480
ntfs_file_fsync+0x131/0x9b0
==================================================================
BUG: KASAN: slab-out-of-bounds in post_write_mst_fixup+0x1aa/0x1d0
Write of size 2 at addr ffff8881586c91fe by task p/9428
Call Trace:
<TASK>
dump_stack_lvl+0x100/0x190
print_report+0x139/0x4ad
? post_write_mst_fixup+0x1aa/0x1d0
? __virt_addr_valid+0x262/0x500
? post_write_mst_fixup+0x1aa/0x1d0
kasan_report+0xe4/0x1d0
? post_write_mst_fixup+0x1aa/0x1d0
post_write_mst_fixup+0x1aa/0x1d0
ntfs_icx_ib_sync_write+0x179/0x220
ntfs_inode_sync_filename+0x83d/0x1080
__ntfs_write_inode+0x1049/0x1480
ntfs_file_fsync+0x131/0x9b0
==================================================================
Let's move the post_write_mst_fixup() call to ntfs_ib_write().
The ntfs_ib_write() function calls pre_write_mst_fixup() at the beginning.
If the index_block contents is invalid, pre_write_mst_fixup() fails and
ntfs_ib_write() returns early without calling post_write_mst_fixup() on
bad index_block.
Fixes: 0a8ac0c1fa0b ("ntfs: update directory operations")
Cc: stable@vger.kernel.org
Signed-off-by: Valeriy Yashnikov <yashnikov.valeriy@gmail.com>
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Diffstat (limited to 'rust/zerocopy/src/pointer/git@git.tavy.me:linux-stable.git')
0 files changed, 0 insertions, 0 deletions
