From: Lizhi Xu lizhi.xu@windriver.com
[ Upstream commit e841ecb139339602bc1853f5f09daa5d1ea920a2 ]
The length of the file name should be smaller than the directory entry size.
Reported-by: syzbot+598057afa0f49e62bd23@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23 Signed-off-by: Lizhi Xu lizhi.xu@windriver.com Signed-off-by: Konstantin Komarov almaz.alexandrovich@paragon-software.com Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
Looking at the code context and the patch, I can now provide my analysis.
**Backport Status: YES**
This commit should be backported to stable kernel trees. Here's my extensive analysis:
## Security Impact Analysis
The commit adds a critical bounds check that prevents a potential out- of-bounds read vulnerability in the NTFS3 filesystem driver. The vulnerability occurs in the `ntfs_dir_emit()` function at fs/ntfs3/dir.c:307-308.
## Technical Details of the Fix
The patch adds this sanity check: ```c if (fname->name_len + sizeof(struct NTFS_DE) > le16_to_cpu(e->size)) return true; ```
This check validates that the file name length doesn't exceed the directory entry size before attempting to read the file name data. Without this check, the code at line 307-308: ```c name_len = ntfs_utf16_to_nls(sbi, fname->name, fname->name_len, name, PATH_MAX); ```
Could read beyond the allocated memory for the directory entry if a malformed NTFS filesystem contains a `fname->name_len` value that extends past the actual directory entry boundary.
## Why This Should Be Backported
1. **Security Fix**: This fixes a syzbot-reported security vulnerability that could lead to out-of-bounds memory reads, potentially exposing kernel memory contents or causing crashes.
2. **Small and Contained**: The fix is just 2 lines of code - a simple bounds check that returns early if the condition is violated. This minimizes the risk of introducing regressions.
3. **Clear Bug Fix**: This is not a feature addition or architectural change - it's a straightforward security hardening fix that adds missing input validation.
4. **Filesystem Data Validation**: The fix validates untrusted filesystem data, which is critical since malformed filesystem images could be mounted by unprivileged users in some configurations.
5. **No Side Effects**: The fix simply causes the code to skip malformed directory entries rather than processing them, which is the safe and expected behavior.
6. **Follows Stable Rules**: This meets the stable kernel criteria: - Fixes a real bug (out-of-bounds read) - Small change (2 lines) - Obviously correct (simple bounds check) - Already tested (reported and fixed via syzbot)
The commit follows a pattern of similar NTFS3 sanity checks that have been backported, as shown by the git log search revealing multiple validation fixes like "Validate buffer length while parsing index", "Validate data run offset", etc.
fs/ntfs3/dir.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c index e1b856ecce61..6b93c909bdc9 100644 --- a/fs/ntfs3/dir.c +++ b/fs/ntfs3/dir.c @@ -304,6 +304,9 @@ static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi, if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN)) return true;
+ if (fname->name_len + sizeof(struct NTFS_DE) > le16_to_cpu(e->size)) + return true; + name_len = ntfs_utf16_to_nls(sbi, fname->name, fname->name_len, name, PATH_MAX); if (name_len <= 0) {