ntfs3: fix OOB write in attr_wof_frame_info()

In attr_wof_frame_info(), the offset-table read range for a nonresident
WofCompressedData stream is:

    u64 from = vbo[i] & ~(u64)(PAGE_SIZE - 1);
    u64 to   = min(from + PAGE_SIZE, wof_size);
    ...
    ntfs_read_run(sbi, run, addr, from, to - from);

A crafted image sets WofCompressedData.nres.data_size to 0xfff while the
file is large enough to request frame 1024 (offset 0x400000). This gives
from=0x1000, to=0xfff. The unsigned (to - from) wraps to 0xffffffffffffffff
and ntfs_read_write_run() overflows the single-page offs_folio via memcpy.

Triggered by pread() on a mounted NTFS image. Depending on adjacent
memory layout at the time of the overflow, KASAN reports this as
slab-out-of-bounds, use-after-free, or slab-use-after-free all at
ntfs_read_write_run(). Secondary corruption/panic paths were also observed.

Reject the read when the offset-table page is outside the stream.

Signed-off-by: 0xkato <0xkkato@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>

diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c
index 76e581d3961d054228f19cc6f4873bec8bf1c997..6b5b58ebbf852049b0a0a5336a00facf31dc66d2 100644 (file)
--- a/fs/ntfs3/attrib.c
+++ b/fs/ntfs3/attrib.c
@@ -1591,6 +1591,12 @@ int attr_wof_frame_info(struct ntfs_inode *ni, struct ATTRIB *attr,
                        u64 from = vbo[i] & ~(u64)(PAGE_SIZE - 1);
                        u64 to = min(from + PAGE_SIZE, wof_size);
 
+                       if (from >= wof_size) {
+                               _ntfs_bad_inode(&ni->vfs_inode);
+                               err = -EINVAL;
+                               goto out1;
+                       }
+
                        err = attr_load_runs_range(ni, ATTR_DATA, WOF_NAME,
                                                   ARRAY_SIZE(WOF_NAME), run,
                                                   from, to);