Commit 33bbdf1a authored Apr 12, 2024 by Edward Adam Davis Committed by Baokun Li Apr 12, 2024

fs/ntfs3: Fix oob in ntfs_listxattr

mainline inclusion
from mainline-v6.8-rc4
commit 731ab1f9828800df871c5a7ab9ffe965317d3f15
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9E2O5
CVE: CVE-2023-52640

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=731ab1f9828800df871c5a7ab9ffe965317d3f15



--------------------------------

The length of name cannot exceed the space occupied by ea.

Reported-and-tested-by:  <syzbot+65e940cfb8f99a97aca7@syzkaller.appspotmail.com>
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Baokun Li <libaokun1@huawei.com>

parent e53f1b04

fs/ntfs3/xattr.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -217,6 +217,9 @@ static ssize_t ntfs_list_ea(struct ntfs_inode ni, char buffer,
		if (!ea->name_len)
		break;

		if (ea->name_len > ea_size)
		break;

		if (buffer) {
		/* Check if we can use field ea->name */
		if (off + ea_size > size)