Re: [PATCH] ntfs: change check order in ntfs_attr_find
From: chenxiaosong (A)
Date: Fri Aug 26 2022 - 21:32:22 EST
在 2022/8/26 20:27, Hawkins Jiawei 写道:
syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Looks like it is improper check order that causes this bug.
Signed-off-by: Hawkins Jiawei <yin31149@xxxxxxxxx>
---
fs/ntfs/attrib.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c
index 52615e6090e1..6480cd2d371d 100644
--- a/fs/ntfs/attrib.c
+++ b/fs/ntfs/attrib.c
@@ -594,10 +594,11 @@ static int ntfs_attr_find(const ATTR_TYPE type, const ntfschar *name,
for (;; a = (ATTR_RECORD*)((u8*)a + le32_to_cpu(a->length))) {
u8 *mrec_end = (u8 *)ctx->mrec +
le32_to_cpu(ctx->mrec->bytes_allocated);
+ if ((u8*)a < (u8*)ctx->mrec || (u8*)a > mrec_end)
+ break;
u8 *name_end = (u8 *)a + le16_to_cpu(a->name_offset) +
a->name_length * sizeof(ntfschar);
- if ((u8*)a < (u8*)ctx->mrec || (u8*)a > mrec_end ||
- name_end > mrec_end)
+ if (name_end > mrec_end)
break;
ctx->attr = a;
if (unlikely(le32_to_cpu(a->type) > le32_to_cpu(type) ||
The reason is that a->length is 0, it will occur uaf when deref any
field of ATTR_RECORD.
It seems that changing check order will not fix root cause, if the
condition "if ((u8*)a < (u8*)ctx->mrec || (u8*)a > mrec_end)" is false,
uaf will still occur.
Do you have any thoughts on this ?