ntfs3: fix out-of-bounds read in decompress_lznt

decompress_lznt() does not validate array index bounds before accessing
the decompression table. A corrupted NTFS3 image with invalid compressed
data can trigger an out-of-bounds read.

Add index bounds checking to prevent the OOB access.

Reported-by: syzbot+39b2fb0f2638669008ec@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>

diff --git a/fs/ntfs3/lznt.c b/fs/ntfs3/lznt.c
index fdc9b2ebf3410e9ae888a5f738190a89d223cfe5..f818d97850049ce88dd69e55b72c8844ba84cf91 100644 (file)
--- a/fs/ntfs3/lznt.c
+++ b/fs/ntfs3/lznt.c
@@ -240,7 +240,7 @@ static inline ssize_t decompress_chunk(u8 *unc, u8 *unc_end, const u8 *cmpr,
                if (up - unc > LZNT_CHUNK_SIZE)
                        return -EINVAL;
                /* Correct index */
-               while (unc + s_max_off[index] < up)
+               while (index < ARRAY_SIZE(s_max_off) - 1 && unc + s_max_off[index] < up)
                        index += 1;
 
                /* Check the current flag for zero. */