Commit 2cea936f authored Aug 27, 2024 by Huacai Chen Committed by Long Li Aug 27, 2024

fs/ntfs3: Update log->page_{mask,bits} if log->page_size changed

stable inclusion
from stable-v5.15.164
commit 0484adcb5fbcadd9ba0fd4485c42630f72e97da9
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKPVC
CVE: CVE-2024-42299

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=tags/v5.15.165&id=0484adcb5fbcadd9ba0fd4485c42630f72e97da9



--------------------------------

commit 2fef55d8f78383c8e6d6d4c014b9597375132696 upstream.

If an NTFS file system is mounted to another system with different
PAGE_SIZE from the original system, log->page_size will change in
log_replay(), but log->page_{mask,bits} don't change correspondingly.
This will cause a panic because "u32 bytes = log->page_size - page_off"
will get a negative value in the later read_log_page().

Cc: stable@vger.kernel.org
Fixes: b46acd6a ("fs/ntfs3: Add NTFS journal")
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Long Li <leo.lilong@huawei.com>

parent 9faee06a

fs/ntfs3/fslog.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -3953,6 +3953,9 @@ int log_replay(struct ntfs_inode ni, bool initialized)
		goto out;
		}

		log->page_mask = log->page_size - 1;
		log->page_bits = blksize_bits(log->page_size);

		/* If the file size has shrunk then we won't mount it. */
		if (l_size < le64_to_cpu(ra2->l_size)) {
		err = -EINVAL;