Unverified Commit 02f31275 authored by YangWen's avatar YangWen Committed by Konstantin Komarov
Browse files

ntfs3: fix use-after-free of sbi->options in cmp_fnames 



The root cause is that sbi->options points directly to fc->fs_private.
If fc->fs_private is freed while sbi still exists, sbi->options becomes
a dangling pointer.

This patch ensures that sbi->options is a separate copy of fc->fs_private
and duplicates nls_name if present. On superblock release or error,
sbi->options->nls_name and sbi->options are freed and sbi->options
is set to NULL to avoid any dangling pointer.

Reported-by: default avatar <syzbot+d77c546c60db651a389c@syzkaller.appspotmail.com>
Signed-off-by: default avatarYangWen <anmuxixixi@gmail.com>
[almaz.alexandrovich@paragon-software.com: remove syzbot logs from description]
Signed-off-by: default avatarKonstantin Komarov <almaz.alexandrovich@paragon-software.com>
parent 68f6bd12

fs/ntfs3/super.c

+39 −8
Original line number Diff line number Diff line
@@ -702,6 +702,14 @@ static void ntfs_put_super(struct super_block *sb) 


	/* Mark rw ntfs as clear, if possible. */

	ntfs_set_state(sbi, NTFS_DIRTY_CLEAR);



	if (sbi->options) {

		unload_nls(sbi->options->nls);

		kfree(sbi->options->nls);

		kfree(sbi->options);

		sbi->options = NULL;

	}



	ntfs3_put_sbi(sbi);

}
@@ -1203,7 +1211,8 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc) 
	int err;

	struct ntfs_sb_info *sbi = sb->s_fs_info;

	struct block_device *bdev = sb->s_bdev;

	struct ntfs_mount_options *options;

	struct ntfs_mount_options *fc_opts;

	struct ntfs_mount_options *options = NULL;

	struct inode *inode;

	struct ntfs_inode *ni;

	size_t i, tt, bad_len, bad_frags;
@@ -1220,20 +1229,35 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc) 
	ref.high = 0;



	sbi->sb = sb;

	sbi->options = options = fc->fs_private;

	fc->fs_private = NULL;

	fc_opts = fc->fs_private;

	if (!fc_opts) {

		errorf(fc, "missing mount options");

		return -EINVAL;

	}

	options = kmemdup(fc_opts, sizeof(*fc_opts), GFP_KERNEL);

	if (!options)

		return -ENOMEM;



	if (fc_opts->nls_name) {

		options->nls_name = kstrdup(fc_opts->nls_name, GFP_KERNEL);

		if (!options->nls_name) {

			kfree(options);

			return -ENOMEM;

		}

	}

	sbi->options = options;

	sb->s_flags |= SB_NODIRATIME;

	sb->s_magic = 0x7366746e; // "ntfs"

	sb->s_op = &ntfs_sops;

	sb->s_export_op = &ntfs_export_ops;

	sb->s_time_gran = NTFS_TIME_GRAN; // 100 nsec

	sb->s_xattr = ntfs_xattr_handlers;

	set_default_d_op(sb, options->nocase ? &ntfs_dentry_ops : NULL);

	set_default_d_op(sb, sbi->options->nocase ? &ntfs_dentry_ops : NULL);



	options->nls = ntfs_load_nls(options->nls_name);

	if (IS_ERR(options->nls)) {

		options->nls = NULL;

		errorf(fc, "Cannot load nls %s", options->nls_name);

	sbi->options->nls = ntfs_load_nls(sbi->options->nls_name);

	if (IS_ERR(sbi->options->nls)) {

		sbi->options->nls = NULL;

		errorf(fc, "Cannot load nls %s", fc_opts->nls_name);

		err = -EINVAL;

		goto out;

	}
@@ -1645,6 +1669,13 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc) 
put_inode_out:

	iput(inode);

out:

	if (sbi && sbi->options) {

		unload_nls(sbi->options->nls);

		kfree(sbi->options->nls);

		kfree(sbi->options);

		sbi->options = NULL;

	}



	ntfs3_put_sbi(sbi);

	kfree(boot2);

	return err;