Commit 02472e6d authored Apr 08, 2024 by Dan Carpenter Committed by Long Li Apr 08, 2024

fs/ntfs3: Fix an NULL dereference bug

stable inclusion
from stable-v5.15.81
commit ae4acad41b0f93f1c26cc0fc9135bb79d8282d0b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9DNXE
CVE: CVE-2023-52631

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.15.y&id=ae4acad41b0f93f1c26cc0fc9135bb79d8282d0b



--------------------------------

[ Upstream commit b2dd7b953c25ffd5912dda17e980e7168bebcf6c ]

The issue here is when this is called from ntfs_load_attr_list().  The
"size" comes from le32_to_cpu(attr->res.data_size) so it can't overflow
on a 64bit systems but on 32bit systems the "+ 1023" can overflow and
the result is zero.  This means that the kmalloc will succeed by
returning the ZERO_SIZE_PTR and then the memcpy() will crash with an
Oops on the next line.

Fixes: be71b5cb ("fs/ntfs3: Add attrib operations")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Long Li <leo.lilong@huawei.com>

parent 183e1907

fs/ntfs3/ntfs_fs.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -466,7 +466,7 @@ bool al_delete_le(struct ntfs_inode *ni, enum ATTR_TYPE type, CLST vcn,
		int al_update(struct ntfs_inode *ni, int sync);
		static inline size_t al_aligned(size_t size)
		{
		return (size + 1023) & ~(size_t)1023;
		return size_add(size, 1023) & ~(size_t)1023;
		}

		/* Globals from bitfunc.c */