Skip to content

ntfs3: cap RESTART_TABLE free-chain walker at rt->used #1413

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
vfsci-bot wants to merge 1 commit into
base: vfs.base.ci
Choose a base branch
from
Open

ntfs3: cap RESTART_TABLE free-chain walker at rt->used #1413

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion fs/ntfs3/fslog.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -764,8 +764,19 @@ static bool check_rstbl(const struct RESTART_TABLE *rt, size_t bytes)
/*
* Walk through the list headed by the first entry to make
* sure none of the entries are currently being used.
*
* Bound traversal by ne (rt->used) to defeat a crafted on-disk
* cycle in the free chain. Each entry in a legitimate free
* list is unique, so a chain that visits more than ne slots
* is malformed. Without this guard, an attacker-controlled
* RESTART_TABLE with a self-loop or A->B->A cycle whose
* offsets satisfy the existing alignment + in-bounds guards
* spins forever at mount time.
*/
for (off = ff; off;) {
for (off = ff, i = 0; off; i++) {
if (i > ne)
return false;

if (off == RESTART_ENTRY_ALLOCATED)
return false;

Expand Down
Loading