ntfs: validate resident index root values on lookup

Resident $INDEX_ROOT values carry index header fields that callers
consume after lookup. Some callers already validate parts of the layout
before walking entries, but those checks are scattered and do not cover
all root header invariants, such as entries_offset alignment and lower
bound, index_length, and allocated_size consistency.

The resident root resize paths now keep these header fields consistent
while the value size changes: ntfs_ir_truncate() lowers
index.allocated_size before shrinking the resident value, and
ntfs_ir_reparent() grows the resident value before publishing a larger
root header. Lookup-time validation can therefore cover these invariants
without tripping over the driver's own resize paths.

Add $INDEX_ROOT to the minimum resident value size table and validate the
resident index header fields before returning the attribute from lookup.
Require 8-byte aligned index header fields, a sane entries_offset, an
index_length within allocated_size, allocated_size within the resident
value, and enough entry space for at least an index entry header.

The shared validator already rejects non-resident records for
resident-only attribute types, including $INDEX_ROOT.

Cc: stable@vger.kernel.org # v7.1
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c
index 1cd6664567ceb0231a7935856c21562af923eabc..dd8828098511831d55823ca9621d667ee5f86a4c 100644 (file)
--- a/fs/ntfs/attrib.c
+++ b/fs/ntfs/attrib.c
@@ -589,6 +589,8 @@ static u32 ntfs_resident_attr_min_value_length(const __le32 type)
                        sizeof(__le16) * 1;
        case AT_VOLUME_INFORMATION:
                return sizeof(struct volume_information);
+       case AT_INDEX_ROOT:
+               return sizeof(struct index_root);
        case AT_EA_INFORMATION:
                return sizeof(struct ea_information);
        default:
@@ -632,6 +634,31 @@ static bool ntfs_volume_name_attr_value_is_valid(const u32 value_length)
        return value_length <= NTFS_MAX_LABEL_LEN * sizeof(__le16);
 }
 
+static bool ntfs_index_root_attr_value_is_valid(const u8 *value, const u32 value_length)
+{
+       const struct index_root *ir;
+       u32 index_size;
+       u32 entries_offset;
+       u32 index_length;
+       u32 allocated_size;
+
+       ir = (const struct index_root *)value;
+       index_size = value_length - offsetof(struct index_root, index);
+       entries_offset = le32_to_cpu(ir->index.entries_offset);
+       index_length = le32_to_cpu(ir->index.index_length);
+       allocated_size = le32_to_cpu(ir->index.allocated_size);
+
+       if ((entries_offset | index_length | allocated_size) & 7 ||
+           entries_offset < sizeof(struct index_header) ||
+           entries_offset > index_length ||
+           index_length > allocated_size ||
+           allocated_size > index_size ||
+           index_length - entries_offset < sizeof(struct index_entry_header))
+               return false;
+
+       return true;
+}
+
 struct ntfs_resident_attr_value {
        const u8 *data;
        u32 len;
@@ -705,6 +732,10 @@ static bool ntfs_attr_value_is_valid(struct ntfs_volume *vol,
                if (!ntfs_volume_name_attr_value_is_valid(value.len))
                        goto corrupt;
                break;
+       case AT_INDEX_ROOT:
+               if (!ntfs_index_root_attr_value_is_valid(value.data, value.len))
+                       goto corrupt;
+               break;
        }
        return true;