diff options
| author | Hawkins Jiawei <[email protected]> | 2022-09-01 00:09:38 +0800 |
|---|---|---|
| committer | Andrew Morton <[email protected]> | 2022-09-11 21:55:12 -0700 |
| commit | 63095f4f3af59322bea984a6ae44337439348fe0 (patch) | |
| tree | 27fcd939c7ce47e02a3f844d77244da0f75f5403 /tools/perf/scripts/python/event_analyzing_sample.py | |
| parent | 36a4d82dddbbd421d2b8e79e1cab68c8126d5075 (diff) | |
ntfs: check overflow when iterating ATTR_RECORDs
Kernel iterates over ATTR_RECORDs in mft record in ntfs_attr_find().
Because the ATTR_RECORDs are next to each other, kernel can get the next
ATTR_RECORD from end address of current ATTR_RECORD, through current
ATTR_RECORD length field.
The problem is that during iteration, when kernel calculates the end
address of current ATTR_RECORD, kernel may trigger an integer overflow bug
in executing `a = (ATTR_RECORD*)((u8*)a + le32_to_cpu(a->length))`. This
may wrap, leading to a forever iteration on 32bit systems.
This patch solves it by adding some checks on calculating end address
of current ATTR_RECORD during iteration.
Link: https://lkml.kernel.org/r/[email protected]
Link: https://lore.kernel.org/all/20220827105842.GM2030@kadam/
Signed-off-by: Hawkins Jiawei <[email protected]>
Suggested-by: Dan Carpenter <[email protected]>
Cc: Anton Altaparmakov <[email protected]>
Cc: chenxiaosong (A) <[email protected]>
Cc: syzkaller-bugs <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Diffstat (limited to 'tools/perf/scripts/python/event_analyzing_sample.py')
0 files changed, 0 insertions, 0 deletions