Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ntfs3: fix use-after-free of sbi->options in cmp_fnames 

The root cause is that sbi->options points directly to fc->fs_private.
If fc->fs_private is freed while sbi still exists, sbi->options becomes
a dangling pointer.

This patch ensures that sbi->options is a separate copy of fc->fs_private
and duplicates nls_name if present. On superblock release or error,
sbi->options->nls_name and sbi->options are freed and sbi->options
is set to NULL to avoid any dangling pointer.

Reported-by: syzbot+d77c546c60db651a389c@syzkaller.appspotmail.com
Signed-off-by: YangWen <anmuxixixi@gmail.com>
[almaz.alexandrovich@paragon-software.com: remove syzbot logs from description]
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
This commit is contained in:
YangWen 2025-09-10 23:17:08 +08:00 committed by Konstantin Komarov
parent 68f6bd128e
commit 02f312754c
No known key found for this signature in database
GPG Key ID: A9B0331F832407B6
1 changed files with 39 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
fs/ntfs3/super.c
View File

@ -702,6 +702,14 @@ static void ntfs_put_super(struct super_block *sb)
/* Mark rw ntfs as clear, if possible. */ /* Mark rw ntfs as clear, if possible. */
ntfs_set_state(sbi, NTFS_DIRTY_CLEAR); ntfs_set_state(sbi, NTFS_DIRTY_CLEAR);
if (sbi->options) {
unload_nls(sbi->options->nls);
kfree(sbi->options->nls);
kfree(sbi->options);
sbi->options = NULL;
}
ntfs3_put_sbi(sbi); ntfs3_put_sbi(sbi);
} }
@ -1203,7 +1211,8 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
int err; int err;
struct ntfs_sb_info *sbi = sb->s_fs_info; struct ntfs_sb_info *sbi = sb->s_fs_info;
struct block_device *bdev = sb->s_bdev; struct block_device *bdev = sb->s_bdev;
struct ntfs_mount_options *options; struct ntfs_mount_options *fc_opts;
struct ntfs_mount_options *options = NULL;
struct inode *inode; struct inode *inode;
struct ntfs_inode *ni; struct ntfs_inode *ni;
size_t i, tt, bad_len, bad_frags; size_t i, tt, bad_len, bad_frags;
@ -1220,20 +1229,35 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
ref.high = 0; ref.high = 0;
sbi->sb = sb; sbi->sb = sb;
sbi->options = options = fc->fs_private; fc_opts = fc->fs_private;
fc->fs_private = NULL; if (!fc_opts) {
errorf(fc, "missing mount options");
return -EINVAL;
}
options = kmemdup(fc_opts, sizeof(*fc_opts), GFP_KERNEL);
if (!options)
return -ENOMEM;
if (fc_opts->nls_name) {
options->nls_name = kstrdup(fc_opts->nls_name, GFP_KERNEL);
if (!options->nls_name) {
kfree(options);
return -ENOMEM;
}
}
sbi->options = options;
sb->s_flags |= SB_NODIRATIME; sb->s_flags |= SB_NODIRATIME;
sb->s_magic = 0x7366746e; // "ntfs" sb->s_magic = 0x7366746e; // "ntfs"
sb->s_op = &ntfs_sops; sb->s_op = &ntfs_sops;
sb->s_export_op = &ntfs_export_ops; sb->s_export_op = &ntfs_export_ops;
sb->s_time_gran = NTFS_TIME_GRAN; // 100 nsec sb->s_time_gran = NTFS_TIME_GRAN; // 100 nsec
sb->s_xattr = ntfs_xattr_handlers; sb->s_xattr = ntfs_xattr_handlers;
set_default_d_op(sb, options->nocase ? &ntfs_dentry_ops : NULL); set_default_d_op(sb, sbi->options->nocase ? &ntfs_dentry_ops : NULL);
options->nls = ntfs_load_nls(options->nls_name); sbi->options->nls = ntfs_load_nls(sbi->options->nls_name);
if (IS_ERR(options->nls)) { if (IS_ERR(sbi->options->nls)) {
options->nls = NULL; sbi->options->nls = NULL;
errorf(fc, "Cannot load nls %s", options->nls_name); errorf(fc, "Cannot load nls %s", fc_opts->nls_name);
err = -EINVAL; err = -EINVAL;
goto out; goto out;
} }
@ -1645,6 +1669,13 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
put_inode_out: put_inode_out:
iput(inode); iput(inode);
out: out:
if (sbi && sbi->options) {
unload_nls(sbi->options->nls);
kfree(sbi->options->nls);
kfree(sbi->options);
sbi->options = NULL;
}
ntfs3_put_sbi(sbi); ntfs3_put_sbi(sbi);
kfree(boot2); kfree(boot2);
return err; return err;