Commit 14f0a13e authored by Hyunchul Lee's avatar Hyunchul Lee Committed by Namjae Jeon
Browse files

ntfs: remove redundant out-of-bound checks 



Remove redundant out-of-bounds validations.
Since ntfs_attr_find and ntfs_external_attr_find
now validate the attribute value offsets and
lengths against the bounds of the MFT record block,
performing subsequent bounds checking in caller
functions like ntfs_attr_lookup is no longer necessary.

Signed-off-by: default avatarHyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
parent a198a0c4

fs/ntfs/inode.c

+0 −28
Original line number Diff line number Diff line
@@ -757,12 +757,6 @@ static int ntfs_read_locked_inode(struct inode *vi) 
	}

	a = ctx->attr;

	/* Get the standard information attribute value. */

	if ((u8 *)a + le16_to_cpu(a->data.resident.value_offset)

			+ le32_to_cpu(a->data.resident.value_length) >

			(u8 *)ctx->mrec + vol->mft_record_size) {

		ntfs_error(vi->i_sb, "Corrupt standard information attribute in inode.");

		goto unm_err_out;

	}

	si = (struct standard_information *)((u8 *)a +

			le16_to_cpu(a->data.resident.value_offset));
@@ -849,13 +843,6 @@ static int ntfs_read_locked_inode(struct inode *vi) 
				goto unm_err_out;

			}

		} else /* if (!a->non_resident) */ {

			if ((u8 *)a + le16_to_cpu(a->data.resident.value_offset)

					+ le32_to_cpu(

					a->data.resident.value_length) >

					(u8 *)ctx->mrec + vol->mft_record_size) {

				ntfs_error(vi->i_sb, "Corrupt attribute list in inode.");

				goto unm_err_out;

			}

			/* Now copy the attribute list. */

			memcpy(ni->attr_list, (u8 *)a + le16_to_cpu(

					a->data.resident.value_offset),
@@ -954,10 +941,6 @@ static int ntfs_read_locked_inode(struct inode *vi) 
		ir = (struct index_root *)((u8 *)a +

				le16_to_cpu(a->data.resident.value_offset));

		ir_end = (u8 *)ir + le32_to_cpu(a->data.resident.value_length);

		if (ir_end > (u8 *)ctx->mrec + vol->mft_record_size) {

			ntfs_error(vi->i_sb, "$INDEX_ROOT attribute is corrupt.");

			goto unm_err_out;

		}

		index_end = (u8 *)&ir->index +

				le32_to_cpu(ir->index.index_length);

		if (index_end > ir_end) {
@@ -1552,10 +1535,6 @@ static int ntfs_read_locked_index_inode(struct inode *base_vi, struct inode *vi) 


	ir = (struct index_root *)((u8 *)a + le16_to_cpu(a->data.resident.value_offset));

	ir_end = (u8 *)ir + le32_to_cpu(a->data.resident.value_length);

	if (ir_end > (u8 *)ctx->mrec + vol->mft_record_size) {

		ntfs_error(vi->i_sb, "$INDEX_ROOT attribute is corrupt.");

		goto unm_err_out;

	}

	index_end = (u8 *)&ir->index + le32_to_cpu(ir->index.index_length);

	if (index_end > ir_end) {

		ntfs_error(vi->i_sb, "Index is corrupt.");
@@ -1999,13 +1978,6 @@ int ntfs_read_inode_mount(struct inode *vi) 
				goto put_err_out;

			}

		} else /* if (!ctx.attr->non_resident) */ {

			if ((u8 *)a + le16_to_cpu(

					a->data.resident.value_offset) +

					le32_to_cpu(a->data.resident.value_length) >

					(u8 *)ctx->mrec + vol->mft_record_size) {

				ntfs_error(sb, "Corrupt attribute list attribute.");

				goto put_err_out;

			}

			/* Now copy the attribute list. */

			memcpy(ni->attr_list, (u8 *)a + le16_to_cpu(

					a->data.resident.value_offset),

fs/ntfs/namei.c

+0 −8
Original line number Diff line number Diff line
@@ -274,7 +274,6 @@ static struct dentry *ntfs_lookup(struct inode *dir_ino, struct dentry *dent, 
			}

			do {

				struct attr_record *a;

				u32 val_len;



				err = ntfs_attr_lookup(AT_FILE_NAME, NULL, 0, 0, 0,

						NULL, 0, ctx);
@@ -289,15 +288,8 @@ static struct dentry *ntfs_lookup(struct inode *dir_ino, struct dentry *dent, 
				a = ctx->attr;

				if (a->non_resident || a->flags)

					goto eio_err_out;

				val_len = le32_to_cpu(a->data.resident.value_length);

				if (le16_to_cpu(a->data.resident.value_offset) +

						val_len > le32_to_cpu(a->length))

					goto eio_err_out;

				fn = (struct file_name_attr *)((u8 *)ctx->attr + le16_to_cpu(

							ctx->attr->data.resident.value_offset));

				if ((u32)(fn->file_name_length * sizeof(__le16) +

							sizeof(struct file_name_attr)) > val_len)

					goto eio_err_out;

			} while (fn->file_name_type != FILE_NAME_WIN32);



			/* Convert the found WIN32 name to current NLS code page. */

fs/ntfs/super.c

+0 −6
Original line number Diff line number Diff line
@@ -1512,7 +1512,6 @@ static bool load_system_files(struct ntfs_volume *vol) 


	if (ntfs_attr_lookup(AT_VOLUME_INFORMATION, NULL, 0, 0, 0, NULL, 0,

			ctx) || ctx->attr->non_resident || ctx->attr->flags) {

err_put_vol:

		ntfs_attr_put_search_ctx(ctx);

get_ctx_vol_failed:

		unmap_mft_record(NTFS_I(vol->vol_ino));
@@ -1520,11 +1519,6 @@ static bool load_system_files(struct ntfs_volume *vol) 
	}

	vi = (struct volume_information *)((char *)ctx->attr +

			le16_to_cpu(ctx->attr->data.resident.value_offset));

	/* Some bounds checks. */

	if ((u8 *)vi < (u8 *)ctx->attr || (u8 *)vi +

			le32_to_cpu(ctx->attr->data.resident.value_length) >

			(u8 *)ctx->attr + le32_to_cpu(ctx->attr->length))

		goto err_put_vol;

	/* Copy the volume flags and version to the struct ntfs_volume structure. */

	vol->vol_flags = vi->flags;

	vol->major_ver = vi->major_ver;