From 88101a5dcf2496e0480bcebc1e2acf172e214616 Mon Sep 17 00:00:00 2001 From: Konstantin Komarov Date: Wed, 17 Apr 2024 09:17:22 +0800 Subject: [PATCH 1/2] fs/ntfs3: Fix NULL pointer dereference on error in attr_allocate_frame() mainline inclusion from mainline-v6.6-rc7 commit 9c689c8dc86f8ca99bf91c05f24c8bab38fe7d5f category: bugfix bugzilla: 189772 CVE: CVE-2023-52641 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9c689c8dc86f8ca99bf91c05f24c8bab38fe7d5f -------------------------------- Signed-off-by: Konstantin Komarov Signed-off-by: ZhaoLong Wang --- fs/ntfs3/attrib.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c index 5d4ad0f4feb3..5d5af9a50499 100644 --- a/fs/ntfs3/attrib.c +++ b/fs/ntfs3/attrib.c @@ -1578,10 +1578,8 @@ int attr_allocate_frame(struct ntfs_inode *ni, CLST frame, size_t compr_size, le_b = NULL; attr_b = ni_find_attr(ni, NULL, &le_b, ATTR_DATA, NULL, 0, NULL, &mi_b); - if (!attr_b) { - err = -ENOENT; - goto out; - } + if (!attr_b) + return -ENOENT; attr = attr_b; le = le_b; -- Gitee From 02eba0783400688205b8840aba15d93305053aa8 Mon Sep 17 00:00:00 2001 From: Konstantin Komarov Date: Wed, 17 Apr 2024 09:17:23 +0800 Subject: [PATCH 2/2] fs/ntfs3: Add NULL ptr dereference checking at the end of attr_allocate_frame() mainline inclusion from mainline-v6.8-rc4 commit aaab47f204aaf47838241d57bf8662c8840de60a category: bugfix bugzilla: 189772 CVE: CVE-2023-52641 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=aaab47f204aaf47838241d57bf8662c8840de60a -------------------------------- It is preferable to exit through the out: label because internal debugging functions are located there. Signed-off-by: Konstantin Komarov Signed-off-by: ZhaoLong Wang --- fs/ntfs3/attrib.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c index 5d5af9a50499..2aa38ba39149 100644 --- a/fs/ntfs3/attrib.c +++ b/fs/ntfs3/attrib.c @@ -1578,8 +1578,10 @@ int attr_allocate_frame(struct ntfs_inode *ni, CLST frame, size_t compr_size, le_b = NULL; attr_b = ni_find_attr(ni, NULL, &le_b, ATTR_DATA, NULL, 0, NULL, &mi_b); - if (!attr_b) - return -ENOENT; + if (!attr_b) { + err = -ENOENT; + goto out; + } attr = attr_b; le = le_b; @@ -1660,13 +1662,15 @@ int attr_allocate_frame(struct ntfs_inode *ni, CLST frame, size_t compr_size, ok: run_truncate_around(run, vcn); out: - if (new_valid > data_size) - new_valid = data_size; + if (attr_b) { + if (new_valid > data_size) + new_valid = data_size; - valid_size = le64_to_cpu(attr_b->nres.valid_size); - if (new_valid != valid_size) { - attr_b->nres.valid_size = cpu_to_le64(valid_size); - mi_b->dirty = true; + valid_size = le64_to_cpu(attr_b->nres.valid_size); + if (new_valid != valid_size) { + attr_b->nres.valid_size = cpu_to_le64(valid_size); + mi_b->dirty = true; + } } return err; -- Gitee