[syzbot] [ntfs3?] KASAN: slab-out-of-bounds Read in ntfs_utf16_to_nls
7 views
Skip to first unread message
syzbot
Jun 4, 2025, 12:49:41āÆPM6/4/25
to almaz.ale...@paragon-software.com, linux-...@vger.kernel.org, nt...@lists.linux.dev, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 0f70f5b08a47 Merge tag 'pull-automount' of git://git.kerne..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=167abed4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=22765942f2e2ebcf
dashboard link: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a2200c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12831970580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4af859a809ab/disk-0f70f5b0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d3df10c6aa23/vmlinux-0f70f5b0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3a2d5f44d739/bzImage-0f70f5b0.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d6f6d89632f0/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+598057...@syzkaller.appspotmail.com
ntfs3(loop0): failed to convert "0000" to maccroatian
==================================================================
BUG: KASAN: slab-out-of-bounds in ntfs_utf16_to_nls+0x3c9/0x5a0 fs/ntfs3/dir.c:49
Read of size 2 at addr ffff88807c7f1000 by task syz-executor243/5824
CPU: 0 UID: 0 PID: 5824 Comm: syz-executor243 Not tainted 6.15.0-syzkaller-09161-g0f70f5b08a47 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
ntfs_utf16_to_nls+0x3c9/0x5a0 fs/ntfs3/dir.c:49
ntfs_dir_emit fs/ntfs3/dir.c:307 [inline]
ntfs_read_hdr+0x508/0xbc0 fs/ntfs3/dir.c:383
ntfs_readdir+0xa5c/0xdd0 fs/ntfs3/dir.c:494
iterate_dir+0x5ac/0x770 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:410 [inline]
__se_sys_getdents64+0xe4/0x260 fs/readdir.c:396
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f34189bde59
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff44014e48 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000200000000080 RCX: 00007f34189bde59
RDX: 0000000000001000 RSI: 0000200000000f80 RDI: 0000000000000004
RBP: 00007f3418a515f0 R08: 000055556d8c34c0 R09: 000055556d8c34c0
R10: 000055556d8c34c0 R11: 0000000000000246 R12: 00007fff44014e70
R13: 00007fff44015098 R14: 431bde82d7b634db R15: 00007f3418a0703b
</TASK>
Allocated by task 5824:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4327 [inline]
__kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4339
kmalloc_noprof include/linux/slab.h:909 [inline]
indx_read+0x27c/0xc20 fs/ntfs3/index.c:1059
ntfs_readdir+0x9d8/0xdd0 fs/ntfs3/dir.c:489
iterate_dir+0x5ac/0x770 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:410 [inline]
__se_sys_getdents64+0xe4/0x260 fs/readdir.c:396
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88807c7f0000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 0 bytes to the right of
allocated 4096-byte region [ffff88807c7f0000, ffff88807c7f1000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7c7f0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801a442140 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080040004 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801a442140 dead000000000122 0000000000000000
head: 0000000000000000 0000000080040004 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001f1fc01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5824, tgid 5824 (syz-executor243), ts 94062103587, free_ts 87837995758
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1710
prep_new_page mm/page_alloc.c:1718 [inline]
get_page_from_freelist+0x21d1/0x22b0 mm/page_alloc.c:3680
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4970
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2301
alloc_slab_page mm/slub.c:2450 [inline]
allocate_slab+0x8a/0x3b0 mm/slub.c:2618
new_slab mm/slub.c:2672 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3858
__slab_alloc mm/slub.c:3948 [inline]
__slab_alloc_node mm/slub.c:4023 [inline]
slab_alloc_node mm/slub.c:4184 [inline]
__do_kmalloc_node mm/slub.c:4326 [inline]
__kmalloc_noprof+0x305/0x4f0 mm/slub.c:4339
kmalloc_noprof include/linux/slab.h:909 [inline]
indx_read+0x27c/0xc20 fs/ntfs3/index.c:1059
ntfs_readdir+0x9d8/0xdd0 fs/ntfs3/dir.c:489
iterate_dir+0x5ac/0x770 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:410 [inline]
__se_sys_getdents64+0xe4/0x260 fs/readdir.c:396
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5814 tgid 5814 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1254 [inline]
__free_frozen_pages+0xc65/0xe50 mm/page_alloc.c:2717
discard_slab mm/slub.c:2716 [inline]
__put_partials+0x161/0x1c0 mm/slub.c:3185
put_cpu_partial+0x17c/0x250 mm/slub.c:3260
__slab_free+0x2f7/0x400 mm/slub.c:4512
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4147 [inline]
slab_alloc_node mm/slub.c:4196 [inline]
kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4203
vm_area_dup+0x28/0x540 kernel/fork.c:488
__split_vma+0x1a0/0x9b0 mm/vma.c:477
vms_gather_munmap_vmas+0x2de/0x12b0 mm/vma.c:1315
do_vmi_align_munmap+0x25d/0x420 mm/vma.c:1483
__do_sys_brk mm/mmap.c:176 [inline]
__se_sys_brk+0x74e/0xb90 mm/mmap.c:115
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88807c7f0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88807c7f0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807c7f1000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88807c7f1080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807c7f1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 0f70f5b08a47 Merge tag 'pull-automount' of git://git.kerne..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=167abed4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=22765942f2e2ebcf
dashboard link: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a2200c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12831970580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4af859a809ab/disk-0f70f5b0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d3df10c6aa23/vmlinux-0f70f5b0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3a2d5f44d739/bzImage-0f70f5b0.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d6f6d89632f0/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+598057...@syzkaller.appspotmail.com
ntfs3(loop0): failed to convert "0000" to maccroatian
==================================================================
BUG: KASAN: slab-out-of-bounds in ntfs_utf16_to_nls+0x3c9/0x5a0 fs/ntfs3/dir.c:49
Read of size 2 at addr ffff88807c7f1000 by task syz-executor243/5824
CPU: 0 UID: 0 PID: 5824 Comm: syz-executor243 Not tainted 6.15.0-syzkaller-09161-g0f70f5b08a47 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
ntfs_utf16_to_nls+0x3c9/0x5a0 fs/ntfs3/dir.c:49
ntfs_dir_emit fs/ntfs3/dir.c:307 [inline]
ntfs_read_hdr+0x508/0xbc0 fs/ntfs3/dir.c:383
ntfs_readdir+0xa5c/0xdd0 fs/ntfs3/dir.c:494
iterate_dir+0x5ac/0x770 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:410 [inline]
__se_sys_getdents64+0xe4/0x260 fs/readdir.c:396
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f34189bde59
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff44014e48 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000200000000080 RCX: 00007f34189bde59
RDX: 0000000000001000 RSI: 0000200000000f80 RDI: 0000000000000004
RBP: 00007f3418a515f0 R08: 000055556d8c34c0 R09: 000055556d8c34c0
R10: 000055556d8c34c0 R11: 0000000000000246 R12: 00007fff44014e70
R13: 00007fff44015098 R14: 431bde82d7b634db R15: 00007f3418a0703b
</TASK>
Allocated by task 5824:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4327 [inline]
__kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4339
kmalloc_noprof include/linux/slab.h:909 [inline]
indx_read+0x27c/0xc20 fs/ntfs3/index.c:1059
ntfs_readdir+0x9d8/0xdd0 fs/ntfs3/dir.c:489
iterate_dir+0x5ac/0x770 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:410 [inline]
__se_sys_getdents64+0xe4/0x260 fs/readdir.c:396
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88807c7f0000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 0 bytes to the right of
allocated 4096-byte region [ffff88807c7f0000, ffff88807c7f1000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7c7f0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801a442140 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080040004 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801a442140 dead000000000122 0000000000000000
head: 0000000000000000 0000000080040004 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001f1fc01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5824, tgid 5824 (syz-executor243), ts 94062103587, free_ts 87837995758
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1710
prep_new_page mm/page_alloc.c:1718 [inline]
get_page_from_freelist+0x21d1/0x22b0 mm/page_alloc.c:3680
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4970
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2301
alloc_slab_page mm/slub.c:2450 [inline]
allocate_slab+0x8a/0x3b0 mm/slub.c:2618
new_slab mm/slub.c:2672 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3858
__slab_alloc mm/slub.c:3948 [inline]
__slab_alloc_node mm/slub.c:4023 [inline]
slab_alloc_node mm/slub.c:4184 [inline]
__do_kmalloc_node mm/slub.c:4326 [inline]
__kmalloc_noprof+0x305/0x4f0 mm/slub.c:4339
kmalloc_noprof include/linux/slab.h:909 [inline]
indx_read+0x27c/0xc20 fs/ntfs3/index.c:1059
ntfs_readdir+0x9d8/0xdd0 fs/ntfs3/dir.c:489
iterate_dir+0x5ac/0x770 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:410 [inline]
__se_sys_getdents64+0xe4/0x260 fs/readdir.c:396
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5814 tgid 5814 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1254 [inline]
__free_frozen_pages+0xc65/0xe50 mm/page_alloc.c:2717
discard_slab mm/slub.c:2716 [inline]
__put_partials+0x161/0x1c0 mm/slub.c:3185
put_cpu_partial+0x17c/0x250 mm/slub.c:3260
__slab_free+0x2f7/0x400 mm/slub.c:4512
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4147 [inline]
slab_alloc_node mm/slub.c:4196 [inline]
kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4203
vm_area_dup+0x28/0x540 kernel/fork.c:488
__split_vma+0x1a0/0x9b0 mm/vma.c:477
vms_gather_munmap_vmas+0x2de/0x12b0 mm/vma.c:1315
do_vmi_align_munmap+0x25d/0x420 mm/vma.c:1483
__do_sys_brk mm/mmap.c:176 [inline]
__se_sys_brk+0x74e/0xb90 mm/mmap.c:115
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88807c7f0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88807c7f0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807c7f1000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88807c7f1080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807c7f1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Edward Adam Davis
Jun 5, 2025, 9:56:28āÆAM6/5/25
to syzbot+598057...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
index b6da80c69ca6..4f511cbd392d 100644
--- a/fs/ntfs3/dir.c
+++ b/fs/ntfs3/dir.c
@@ -303,9 +303,13 @@ static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi,
if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN))
return true;
+ printk("keysize: %d, name len: %u, nls: %p, fn: %s, %s\n",
+ le16_to_cpu(e->key_size), fname->name_len,
+ sbi->options->nls, (s8*)fname->name, __func__);
name_len = ntfs_utf16_to_nls(sbi, fname->name, fname->name_len, name,
PATH_MAX);
+ printk("nl: %d, name: %s, %s\n", name_len, name, __func__);
if (name_len <= 0) {
ntfs_warn(sbi->sb, "failed to convert name for inode %lx.",
ino);
diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
index b6da80c69ca6..4f511cbd392d 100644
--- a/fs/ntfs3/dir.c
+++ b/fs/ntfs3/dir.c
@@ -303,9 +303,13 @@ static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi,
if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN))
return true;
+ printk("keysize: %d, name len: %u, nls: %p, fn: %s, %s\n",
+ le16_to_cpu(e->key_size), fname->name_len,
+ sbi->options->nls, (s8*)fname->name, __func__);
name_len = ntfs_utf16_to_nls(sbi, fname->name, fname->name_len, name,
PATH_MAX);
+ printk("nl: %d, name: %s, %s\n", name_len, name, __func__);
if (name_len <= 0) {
ntfs_warn(sbi->sb, "failed to convert name for inode %lx.",
ino);
syzbot
Jun 5, 2025, 10:13:09āÆAM6/5/25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Read in ntfs_utf16_to_nls
nl: 254, name: file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, ntfs_dir_emit
keysize: 76, name len: 255, nls: ffffffff8e445280, fn: f, ntfs_dir_emit
CPU: 1 UID: 0 PID: 6595 Comm: syz.0.16 Not tainted 6.15.0-syzkaller-12141-gec7714e49479-dirty #0 PREEMPT(full)
ntfs_read_hdr+0x6b5/0xca0 fs/ntfs3/dir.c:387
ntfs_readdir+0xa5c/0xdd0 fs/ntfs3/dir.c:498
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f414a2cd038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f41495b5fa0 RCX: 00007f414938e969
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f41495b5fa0 R15: 00007fffafbf4148
</TASK>
Allocated by task 6595:
__kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4340
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33900
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x21d5/0x22b0 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
alloc_slab_page mm/slub.c:2451 [inline]
allocate_slab+0x8a/0x3b0 mm/slub.c:2619
new_slab mm/slub.c:2673 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
__slab_alloc mm/slub.c:3949 [inline]
__slab_alloc_node mm/slub.c:4024 [inline]
slab_alloc_node mm/slub.c:4185 [inline]
__do_kmalloc_node mm/slub.c:4327 [inline]
__kmalloc_noprof+0x305/0x4f0 mm/slub.c:4340
indx_insert_entry+0x4f1/0x720 fs/ntfs3/index.c:1963
ntfs_create_inode+0x2317/0x3340 fs/ntfs3/inode.c:1620
ntfs_mknod+0x3b/0x50 fs/ntfs3/namei.c:120
vfs_mknod+0x37f/0x3c0 fs/namei.c:4235
do_mknodat+0x385/0x4d0 fs/namei.c:-1
__do_sys_mknod fs/namei.c:4318 [inline]
__se_sys_mknod fs/namei.c:4316 [inline]
__x64_sys_mknod+0x8c/0xa0 fs/namei.c:4316
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1248 [inline]
__free_frozen_pages+0xc65/0xe60 mm/page_alloc.c:2706
discard_slab mm/slub.c:2717 [inline]
__put_partials+0x161/0x1c0 mm/slub.c:3186
put_cpu_partial+0x17c/0x250 mm/slub.c:3261
__slab_free+0x2f7/0x400 mm/slub.c:4513
slab_alloc_node mm/slub.c:4197 [inline]
kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4204
anon_vma_chain_alloc mm/rmap.c:142 [inline]
__anon_vma_prepare+0xcb/0x4a0 mm/rmap.c:195
__vmf_anon_prepare mm/memory.c:3523 [inline]
vmf_anon_prepare mm/internal.h:410 [inline]
do_anonymous_page mm/memory.c:5087 [inline]
do_pte_missing mm/memory.c:4249 [inline]
handle_pte_fault mm/memory.c:6089 [inline]
__handle_mm_fault+0x4d02/0x5620 mm/memory.c:6232
handle_mm_fault+0x2d5/0x7f0 mm/memory.c:6401
do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
Memory state around the buggy address:
ffff888033904f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888033904f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888033905000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888033905080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888033905100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: ec7714e4 Merge tag 'rust-6.16' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=136f31d4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=26abb92f9ef9d1d0
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Read in ntfs_utf16_to_nls
nl: 254, name: file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, ntfs_dir_emit
keysize: 76, name len: 255, nls: ffffffff8e445280, fn: f, ntfs_dir_emit
ntfs3(loop0): failed to convert "0000" to maccroatian
==================================================================
BUG: KASAN: slab-out-of-bounds in ntfs_utf16_to_nls+0x3c9/0x5a0 fs/ntfs3/dir.c:49
Read of size 2 at addr ffff888033905000 by task syz.0.16/6595
==================================================================
BUG: KASAN: slab-out-of-bounds in ntfs_utf16_to_nls+0x3c9/0x5a0 fs/ntfs3/dir.c:49
CPU: 1 UID: 0 PID: 6595 Comm: syz.0.16 Not tainted 6.15.0-syzkaller-12141-gec7714e49479-dirty #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
ntfs_utf16_to_nls+0x3c9/0x5a0 fs/ntfs3/dir.c:49
ntfs_dir_emit fs/ntfs3/dir.c:310 [inline]
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
ntfs_utf16_to_nls+0x3c9/0x5a0 fs/ntfs3/dir.c:49
ntfs_read_hdr+0x6b5/0xca0 fs/ntfs3/dir.c:387
ntfs_readdir+0xa5c/0xdd0 fs/ntfs3/dir.c:498
iterate_dir+0x5ac/0x770 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:410 [inline]
__se_sys_getdents64+0xe4/0x260 fs/readdir.c:396
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f414938e969
__do_sys_getdents64 fs/readdir.c:410 [inline]
__se_sys_getdents64+0xe4/0x260 fs/readdir.c:396
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f414a2cd038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f41495b5fa0 RCX: 00007f414938e969
RDX: 0000000000001000 RSI: 0000200000000f80 RDI: 0000000000000004
RBP: 00007f4149410ab1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f41495b5fa0 R15: 00007fffafbf4148
</TASK>
Allocated by task 6595:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4328 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4340
kmalloc_noprof include/linux/slab.h:909 [inline]
indx_read+0x27c/0xc20 fs/ntfs3/index.c:1059
ntfs_readdir+0x9d8/0xdd0 fs/ntfs3/dir.c:493
indx_read+0x27c/0xc20 fs/ntfs3/index.c:1059
iterate_dir+0x5ac/0x770 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:410 [inline]
__se_sys_getdents64+0xe4/0x260 fs/readdir.c:396
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888033904000
__do_sys_getdents64 fs/readdir.c:410 [inline]
__se_sys_getdents64+0xe4/0x260 fs/readdir.c:396
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 0 bytes to the right of
allocated 4096-byte region [ffff888033904000, ffff888033905000)
The buggy address is located 0 bytes to the right of
The buggy address belongs to the physical page:
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801a442140 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080040004 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801a442140 dead000000000122 0000000000000000
head: 0000000000000000 0000000080040004 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0000ce4001 00000000ffffffff 00000000ffffffff
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801a442140 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080040004 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801a442140 dead000000000122 0000000000000000
head: 0000000000000000 0000000080040004 00000000f5000000 0000000000000000
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6595, tgid 6594 (syz.0.16), ts 131229531839, free_ts 131158758528
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x21d5/0x22b0 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
alloc_slab_page mm/slub.c:2451 [inline]
allocate_slab+0x8a/0x3b0 mm/slub.c:2619
new_slab mm/slub.c:2673 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
__slab_alloc mm/slub.c:3949 [inline]
__slab_alloc_node mm/slub.c:4024 [inline]
slab_alloc_node mm/slub.c:4185 [inline]
__do_kmalloc_node mm/slub.c:4327 [inline]
__kmalloc_noprof+0x305/0x4f0 mm/slub.c:4340
kmalloc_noprof include/linux/slab.h:909 [inline]
indx_read+0x27c/0xc20 fs/ntfs3/index.c:1059
indx_find+0x4bb/0xba0 fs/ntfs3/index.c:1179
indx_read+0x27c/0xc20 fs/ntfs3/index.c:1059
indx_insert_entry+0x4f1/0x720 fs/ntfs3/index.c:1963
ntfs_create_inode+0x2317/0x3340 fs/ntfs3/inode.c:1620
ntfs_mknod+0x3b/0x50 fs/ntfs3/namei.c:120
vfs_mknod+0x37f/0x3c0 fs/namei.c:4235
do_mknodat+0x385/0x4d0 fs/namei.c:-1
__do_sys_mknod fs/namei.c:4318 [inline]
__se_sys_mknod fs/namei.c:4316 [inline]
__x64_sys_mknod+0x8c/0xa0 fs/namei.c:4316
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
page last free pid 6275 tgid 6275 stack trace:
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1248 [inline]
__free_frozen_pages+0xc65/0xe60 mm/page_alloc.c:2706
discard_slab mm/slub.c:2717 [inline]
__put_partials+0x161/0x1c0 mm/slub.c:3186
put_cpu_partial+0x17c/0x250 mm/slub.c:3261
__slab_free+0x2f7/0x400 mm/slub.c:4513
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4148 [inline]
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4204
anon_vma_chain_alloc mm/rmap.c:142 [inline]
__anon_vma_prepare+0xcb/0x4a0 mm/rmap.c:195
__vmf_anon_prepare mm/memory.c:3523 [inline]
vmf_anon_prepare mm/internal.h:410 [inline]
do_anonymous_page mm/memory.c:5087 [inline]
do_pte_missing mm/memory.c:4249 [inline]
handle_pte_fault mm/memory.c:6089 [inline]
__handle_mm_fault+0x4d02/0x5620 mm/memory.c:6232
handle_mm_fault+0x2d5/0x7f0 mm/memory.c:6401
do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
Memory state around the buggy address:
ffff888033904f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888033905000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888033905080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888033905100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: ec7714e4 Merge tag 'rust-6.16' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=136f31d4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=26abb92f9ef9d1d0
dashboard link: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
patch: https://syzkaller.appspot.com/x/patch.diff?x=1411e570580000
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
Lizhi Xu
Jun 5, 2025, 11:12:08āÆPM6/5/25
to syzbot+598057...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
index b6da80c69ca6..b31bc9cbfa35 100644
diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
--- a/fs/ntfs3/dir.c
+++ b/fs/ntfs3/dir.c
@@ -304,6 +304,9 @@ static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi,
if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN))
return true;
+ if (fname->name_len > le16_to_cpu(e->size) - sizeof(struct NTFS_DE))
return true;
+ return true;
+
name_len = ntfs_utf16_to_nls(sbi, fname->name, fname->name_len, name,
PATH_MAX);
if (name_len <= 0) {
PATH_MAX);
syzbot
Jun 5, 2025, 11:48:06āÆPM6/5/25
to linux-...@vger.kernel.org, lizh...@windriver.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+598057...@syzkaller.appspotmail.com
Tested-by: syzbot+598057...@syzkaller.appspotmail.com
Tested on:
commit: e271ed52 Merge tag 'pm-6.16-rc1-3' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=150e3282580000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+598057...@syzkaller.appspotmail.com
Tested-by: syzbot+598057...@syzkaller.appspotmail.com
Tested on:
commit: e271ed52 Merge tag 'pm-6.16-rc1-3' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=150e3282580000
kernel config: https://syzkaller.appspot.com/x/.config?x=26abb92f9ef9d1d0
dashboard link: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
patch: https://syzkaller.appspot.com/x/patch.diff?x=15884c0c580000
dashboard link: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
Note: testing is done by a robot and is best-effort only.
Lizhi Xu
Jun 5, 2025, 11:51:35āÆPM6/5/25
to syzbot+598057...@syzkaller.appspotmail.com, almaz.ale...@paragon-software.com, linux-...@vger.kernel.org, nt...@lists.linux.dev, syzkall...@googlegroups.com
The length of the file name should be smaller than the directory entry size.
Reported-by: syzbot+598057...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
Signed-off-by: Lizhi Xu <lizh...@windriver.com>
---
fs/ntfs3/dir.c | 3 +++
1 file changed, 3 insertions(+)
--
2.43.0
Reported-by: syzbot+598057...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
Signed-off-by: Lizhi Xu <lizh...@windriver.com>
---
fs/ntfs3/dir.c | 3 +++
1 file changed, 3 insertions(+)
2.43.0
Al Viro
Jun 6, 2025, 12:25:10āÆAM6/6/25
to Lizhi Xu, syzbot+598057...@syzkaller.appspotmail.com, almaz.ale...@paragon-software.com, linux-...@vger.kernel.org, nt...@lists.linux.dev, syzkall...@googlegroups.com
On Fri, Jun 06, 2025 at 11:51:24AM +0800, Lizhi Xu wrote:
> The length of the file name should be smaller than the directory entry size.
>
> Reported-by: syzbot+598057...@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
> Signed-off-by: Lizhi Xu <lizh...@windriver.com>
> ---
> fs/ntfs3/dir.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
> index b6da80c69ca6..b31bc9cbfa35 100644
> --- a/fs/ntfs3/dir.c
> +++ b/fs/ntfs3/dir.c
> @@ -304,6 +304,9 @@ static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi,
> if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN))
> return true;
>
> + if (fname->name_len > le16_to_cpu(e->size) - sizeof(struct NTFS_DE))
> + return true;
And if e->size happens to be e.g. 0? Note that (unsigned short)0 - sizeof(whatever)
> The length of the file name should be smaller than the directory entry size.
>
> Reported-by: syzbot+598057...@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
> Signed-off-by: Lizhi Xu <lizh...@windriver.com>
> ---
> fs/ntfs3/dir.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
> index b6da80c69ca6..b31bc9cbfa35 100644
> --- a/fs/ntfs3/dir.c
> +++ b/fs/ntfs3/dir.c
> @@ -304,6 +304,9 @@ static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi,
> if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN))
> return true;
>
> + if (fname->name_len > le16_to_cpu(e->size) - sizeof(struct NTFS_DE))
> + return true;
ends up being a large unsigned.
unsigned short gets promoted to int. sizeof is size_t - whatever it is,
it's an unsigned integer type, with rank no lower than that of int.
Since we have the entire range of unsigned short representable by int on all
architectures we care about, we get unsigned short promoted to int (preserving
the value) and then to size_t (value taken modulo range of size_t, i.e.
the original unsigned short value preserved). Incidentally, even on a target
where sizeof(unsigned short) == sizeof(int) we'd still get an unsigned result -
unsigned short would be promoted to unsigned int, and mix of two unsigned
integer types gets converted to whichever has the higher rank.
IOW, comparison in
if (fname->name_len > le16_to_cpu(e->size) - sizeof(struct NTFS_DE))
is going to be an unsigned one. AFAICS, fname->name_len is u8, so just
turn that check into
if (sizeof(struct NTFS_DE) + fname->name_len > le16_to_cpu(e->size))
and be done with that - comparison is, again, unsigned, but there's no
possibility of wraparounds in that variant.
Lizhi Xu
Jun 6, 2025, 1:16:22āÆAM6/6/25
to vi...@zeniv.linux.org.uk, almaz.ale...@paragon-software.com, linux-...@vger.kernel.org, lizh...@windriver.com, nt...@lists.linux.dev, syzbot+598057...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
The length of the file name should be smaller than the directory entry size.
Reported-by: syzbot+598057...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
Signed-off-by: Lizhi Xu <lizh...@windriver.com>
---
V1 -> V2: move sizeof to left
Reported-by: syzbot+598057...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
Signed-off-by: Lizhi Xu <lizh...@windriver.com>
---
fs/ntfs3/dir.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
index b6da80c69ca6..b31bc9cbfa35 100644
--- a/fs/ntfs3/dir.c
+++ b/fs/ntfs3/dir.c
@@ -304,6 +304,9 @@ static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi,
if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN))
return true;
Reply all
Reply to author
Forward
0 new messages