ntfs: validate attribute name bounds before returning it

ntfs_attr_find() validates a named attribute before comparing it with the
requested name, but that check is currently after the AT_UNUSED handling.
When callers enumerate attributes with AT_UNUSED, ntfs_attr_find() can
return a malformed named attribute before checking whether name_offset
and name_length stay within the attribute record.

Some enumeration callers use the returned attribute name pointer
directly.  For example, one path passes (attr + name_offset, name_length)
to ntfs_attr_iget(), where the name can later be copied according to
name_length.  A malformed on-disk name_offset/name_length pair should not
be exposed to those callers.

Move the existing name bounds validation before returning attributes
during AT_UNUSED enumeration, and write it as an offset/remaining-size
check so the subtraction cannot underflow.  Extract the converted values
into local variables (name_offset, attr_len, name_size) to make the
intent explicit and avoid repeating the endian conversions inside the
bounds check.  This keeps matching attributes on the same checked path
while also covering attribute enumeration.

A small userspace ASAN model with attr length=32, name_offset=124 and
name_length=8 reproduces a heap-buffer-overflow read in the old
enumeration path.  With this change the same malformed attribute is
rejected before the name pointer is returned to the caller.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c
index d60d0c686718f428e194e43ea783dcb69f6ca0f3..421c6cdcbb53078aa50eb899eb45e085e34f4d7e 100644 (file)
--- a/fs/ntfs/attrib.c
+++ b/fs/ntfs/attrib.c
@@ -661,6 +661,9 @@ static int ntfs_attr_find(const __le32 type, const __le16 *name,
        __le16 *upcase = vol->upcase;
        u32 upcase_len = vol->upcase_len;
        unsigned int space;
+       u16 name_offset;
+       u32 attr_len;
+       u32 name_size;
 
        /*
         * Iterate over attributes in mft record starting at @ctx->attr, or the
@@ -688,6 +691,20 @@ static int ntfs_attr_find(const __le32 type, const __le16 *name,
                        return -ENOENT;
                if (unlikely(!a->length))
                        break;
+               if (a->name_length) {
+                       name_offset = le16_to_cpu(a->name_offset);
+                       attr_len = le32_to_cpu(a->length);
+                       name_size = a->name_length * sizeof(__le16);
+
+                       if (name_offset > attr_len ||
+                           attr_len - name_offset < name_size) {
+                               ntfs_error(vol->sb,
+                                          "Corrupt attribute name in MFT record %llu\n",
+                                          ctx->ntfs_ino->mft_no);
+                               break;
+                       }
+               }
+
                if (type == AT_UNUSED)
                        return 0;
                if (a->type != type)
@@ -701,14 +718,6 @@ static int ntfs_attr_find(const __le32 type, const __le16 *name,
                        if (a->name_length)
                                return -ENOENT;
                } else {
-                       if (a->name_length && ((le16_to_cpu(a->name_offset) +
-                                              a->name_length * sizeof(__le16)) >
-                                               le32_to_cpu(a->length))) {
-                               ntfs_error(vol->sb, "Corrupt attribute name in MFT record %llu\n",
-                                          ctx->ntfs_ino->mft_no);
-                               break;
-                       }
-
                        if (!ntfs_are_names_equal(name, name_len,
                                        (__le16 *)((u8 *)a + le16_to_cpu(a->name_offset)),
                                        a->name_length, ic, upcase, upcase_len)) {