tmakin/tegra-linux-noble
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fs/ntfs3: Check if more than chunk-size bytes are written

Browse Source 
BugLink: https://bugs.launchpad.net/bugs/2099996

[ Upstream commit 9931122d04c6d431b2c11b5bb7b10f28584067f0 ]

A incorrectly formatted chunk may decompress into
more than LZNT_CHUNK_SIZE bytes and a index out of bounds
will occur in s_max_off.

Signed-off-by: Andrew Ballance <andrewjballance@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
CVE-2024-50247
Signed-off-by: Koichiro Den <koichiro.den@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
This commit is contained in:
Andrew Ballance
2025-02-25 22:59:22 +09:00
committed by Stefan Bader
parent 4fac91e216
commit c6213055c3
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
fs/ntfs3/lznt.c
+3
View File
@@ -236,6 +236,9 @@ static inline ssize_t decompress_chunk(u8 *unc, u8 *unc_end, const u8 *cmpr,
/* Do decompression until pointers are inside range. */
while (up < unc_end && cmpr < cmpr_end) {
// return err if more than LZNT_CHUNK_SIZE bytes are written
if (up - unc > LZNT_CHUNK_SIZE)
return -EINVAL;
/* Correct index */
while (unc + s_max_off[index] < up)
index += 1;