Unverified Commit d94eff5c authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!6059 fs/ntfs3: fix CVE-2023-52640 

Merge Pull Request from: @ci-robot 
 
PR sync from: Baokun Li <libaokun1@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/3WJZMB53VEOU23NDGC5DRIXIUQ5T5ZRZ/ 
Edward Adam Davis (1):
  fs/ntfs3: Fix oob in ntfs_listxattr

Zeng Heng (2):
  ntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr()
  fs/ntfs3: fix panic about slab-out-of-bounds caused by ntfs_list_ea()


-- 
2.31.1
 
https://gitee.com/src-openeuler/kernel/issues/I9E2O5 
 
Link:https://gitee.com/openeuler/kernel/pulls/6059

 

Reviewed-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents f455c896 33bbdf1a

fs/ntfs3/xattr.c

+12 −1
Original line number Diff line number Diff line
@@ -209,11 +209,22 @@ static ssize_t ntfs_list_ea(struct ntfs_inode *ni, char *buffer, 
	size = le32_to_cpu(info->size);



	/* Enumerate all xattrs. */

	for (ret = 0, off = 0; off < size; off += ea_size) {

	ret = 0;

	for (off = 0; off + sizeof(struct EA_FULL) < size; off += ea_size) {

		ea = Add2Ptr(ea_all, off);

		ea_size = unpacked_ea_size(ea);



		if (!ea->name_len)

			break;



		if (ea->name_len > ea_size)

			break;



		if (buffer) {

			/* Check if we can use field ea->name */

			if (off + ea_size > size)

				break;



			if (ret + ea->name_len + 1 > bytes_per_buffer) {

				err = -ERANGE;

				goto out;