ntfs3: fix use-after-free of sbi->options in cmp_fnames

The root cause is that sbi->options points directly to fc->fs_private.
If fc->fs_private is freed while sbi still exists, sbi->options becomes
a dangling pointer.

This patch ensures that sbi->options is a separate copy of fc->fs_private
and duplicates nls_name if present. On superblock release or error,
sbi->options->nls_name and sbi->options are freed and sbi->options
is set to NULL to avoid any dangling pointer.

Reported-by: syzbot+d77c546c60db651a389c@syzkaller.appspotmail.com
Signed-off-by: YangWen <anmuxixixi@gmail.com>
[almaz.alexandrovich@paragon-software.com: remove syzbot logs from description]
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>

diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index 9f69316d77b60004bd121af6662345eacbae2fdc..aae1f32f4dab53b541d73a01b362141e996dd9b7 100644 (file)
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -702,6 +702,14 @@ static void ntfs_put_super(struct super_block *sb)
 
        /* Mark rw ntfs as clear, if possible. */
        ntfs_set_state(sbi, NTFS_DIRTY_CLEAR);
+
+       if (sbi->options) {
+               unload_nls(sbi->options->nls);
+               kfree(sbi->options->nls);
+               kfree(sbi->options);
+               sbi->options = NULL;
+       }
+
        ntfs3_put_sbi(sbi);
 }
 
@@ -1203,7 +1211,8 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
        int err;
        struct ntfs_sb_info *sbi = sb->s_fs_info;
        struct block_device *bdev = sb->s_bdev;
-       struct ntfs_mount_options *options;
+       struct ntfs_mount_options *fc_opts;
+       struct ntfs_mount_options *options = NULL;
        struct inode *inode;
        struct ntfs_inode *ni;
        size_t i, tt, bad_len, bad_frags;
@@ -1220,20 +1229,35 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
        ref.high = 0;
 
        sbi->sb = sb;
-       sbi->options = options = fc->fs_private;
-       fc->fs_private = NULL;
+       fc_opts = fc->fs_private;
+       if (!fc_opts) {
+               errorf(fc, "missing mount options");
+               return -EINVAL;
+       }
+       options = kmemdup(fc_opts, sizeof(*fc_opts), GFP_KERNEL);
+       if (!options)
+               return -ENOMEM;
+
+       if (fc_opts->nls_name) {
+               options->nls_name = kstrdup(fc_opts->nls_name, GFP_KERNEL);
+               if (!options->nls_name) {
+                       kfree(options);
+                       return -ENOMEM;
+               }
+       }
+       sbi->options = options;
        sb->s_flags |= SB_NODIRATIME;
        sb->s_magic = 0x7366746e; // "ntfs"
        sb->s_op = &ntfs_sops;
        sb->s_export_op = &ntfs_export_ops;
        sb->s_time_gran = NTFS_TIME_GRAN; // 100 nsec
        sb->s_xattr = ntfs_xattr_handlers;
-       set_default_d_op(sb, options->nocase ? &ntfs_dentry_ops : NULL);
+       set_default_d_op(sb, sbi->options->nocase ? &ntfs_dentry_ops : NULL);
 
-       options->nls = ntfs_load_nls(options->nls_name);
-       if (IS_ERR(options->nls)) {
-               options->nls = NULL;
-               errorf(fc, "Cannot load nls %s", options->nls_name);
+       sbi->options->nls = ntfs_load_nls(sbi->options->nls_name);
+       if (IS_ERR(sbi->options->nls)) {
+               sbi->options->nls = NULL;
+               errorf(fc, "Cannot load nls %s", fc_opts->nls_name);
                err = -EINVAL;
                goto out;
        }
@@ -1645,6 +1669,13 @@ load_root:
 put_inode_out:
        iput(inode);
 out:
+       if (sbi && sbi->options) {
+               unload_nls(sbi->options->nls);
+               kfree(sbi->options->nls);
+               kfree(sbi->options);
+               sbi->options = NULL;
+       }
+
        ntfs3_put_sbi(sbi);
        kfree(boot2);
        return err;