From 1077b894a3af21394b1d51f32d0e1634f1de00af Mon Sep 17 00:00:00 2001 From: Konstantin Komarov Date: Wed, 17 Apr 2024 09:16:03 +0800 Subject: [PATCH 1/2] fs/ntfs3: Fix NULL pointer dereference on error in attr_allocate_frame() mainline inclusion from mainline-v6.6-rc7 commit 9c689c8dc86f8ca99bf91c05f24c8bab38fe7d5f category: bugfix bugzilla: 189772 CVE: CVE-2023-52641 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9c689c8dc86f8ca99bf91c05f24c8bab38fe7d5f -------------------------------- Signed-off-by: Konstantin Komarov Signed-off-by: ZhaoLong Wang --- fs/ntfs3/attrib.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c index 5d4ad0f4feb3..5d5af9a50499 100644 --- a/fs/ntfs3/attrib.c +++ b/fs/ntfs3/attrib.c @@ -1578,10 +1578,8 @@ int attr_allocate_frame(struct ntfs_inode *ni, CLST frame, size_t compr_size, le_b = NULL; attr_b = ni_find_attr(ni, NULL, &le_b, ATTR_DATA, NULL, 0, NULL, &mi_b); - if (!attr_b) { - err = -ENOENT; - goto out; - } + if (!attr_b) + return -ENOENT; attr = attr_b; le = le_b; -- Gitee From 6446cdc94b95b169e8360413dab8b689bbf65913 Mon Sep 17 00:00:00 2001 From: Konstantin Komarov Date: Wed, 17 Apr 2024 09:16:04 +0800 Subject: [PATCH 2/2] fs/ntfs3: Add NULL ptr dereference checking at the end of attr_allocate_frame() mainline inclusion from mainline-v6.8-rc4 commit aaab47f204aaf47838241d57bf8662c8840de60a category: bugfix bugzilla: 189772 CVE: CVE-2023-52641 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=aaab47f204aaf47838241d57bf8662c8840de60a -------------------------------- It is preferable to exit through the out: label because internal debugging functions are located there. Signed-off-by: Konstantin Komarov Signed-off-by: ZhaoLong Wang --- fs/ntfs3/attrib.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c index 5d5af9a50499..2aa38ba39149 100644 --- a/fs/ntfs3/attrib.c +++ b/fs/ntfs3/attrib.c @@ -1578,8 +1578,10 @@ int attr_allocate_frame(struct ntfs_inode *ni, CLST frame, size_t compr_size, le_b = NULL; attr_b = ni_find_attr(ni, NULL, &le_b, ATTR_DATA, NULL, 0, NULL, &mi_b); - if (!attr_b) - return -ENOENT; + if (!attr_b) { + err = -ENOENT; + goto out; + } attr = attr_b; le = le_b; @@ -1660,13 +1662,15 @@ int attr_allocate_frame(struct ntfs_inode *ni, CLST frame, size_t compr_size, ok: run_truncate_around(run, vcn); out: - if (new_valid > data_size) - new_valid = data_size; + if (attr_b) { + if (new_valid > data_size) + new_valid = data_size; - valid_size = le64_to_cpu(attr_b->nres.valid_size); - if (new_valid != valid_size) { - attr_b->nres.valid_size = cpu_to_le64(valid_size); - mi_b->dirty = true; + valid_size = le64_to_cpu(attr_b->nres.valid_size); + if (new_valid != valid_size) { + attr_b->nres.valid_size = cpu_to_le64(valid_size); + mi_b->dirty = true; + } } return err; -- Gitee