Commit addd9084 authored Nov 14, 2024 by Andrew Ballance Committed by Zizhi Wo Nov 14, 2024

fs/ntfs3: Check if more than chunk-size bytes are written

stable inclusion
from stable-v5.15.171
commit e5ae7859008688626b4d2fa6139eeaa08e255053
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB379U
CVE: CVE-2024-50247

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e5ae7859008688626b4d2fa6139eeaa08e255053



--------------------------------

[ Upstream commit 9931122d04c6d431b2c11b5bb7b10f28584067f0 ]

A incorrectly formatted chunk may decompress into
more than LZNT_CHUNK_SIZE bytes and a index out of bounds
will occur in s_max_off.

Signed-off-by: Andrew Ballance <andrewjballance@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Zizhi Wo <wozizhi@huawei.com>

parent 53677a49

fs/ntfs3/lznt.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -236,6 +236,9 @@ static inline ssize_t decompress_chunk(u8 unc, u8 unc_end, const u8 *cmpr,

		/* Do decompression until pointers are inside range. */
		while (up < unc_end && cmpr < cmpr_end) {
		// return err if more than LZNT_CHUNK_SIZE bytes are written
		if (up - unc > LZNT_CHUNK_SIZE)
		return -EINVAL;
		/* Correct index */
		while (unc + s_max_off[index] < up)
		index += 1;