From: Edward Adam Davis eadavis@qq.com
mainline inclusion from mainline-v6.8-rc4 commit 731ab1f9828800df871c5a7ab9ffe965317d3f15 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9E2O5 CVE: CVE-2023-52640
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
The length of name cannot exceed the space occupied by ea.
Reported-and-tested-by: syzbot+65e940cfb8f99a97aca7@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis eadavis@qq.com Signed-off-by: Konstantin Komarov almaz.alexandrovich@paragon-software.com Signed-off-by: Baokun Li libaokun1@huawei.com --- fs/ntfs3/xattr.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c index 0dd07dd7c11b..24d739000c80 100644 --- a/fs/ntfs3/xattr.c +++ b/fs/ntfs3/xattr.c @@ -217,6 +217,9 @@ static ssize_t ntfs_list_ea(struct ntfs_inode *ni, char *buffer, if (!ea->name_len) break;
+ if (ea->name_len > ea_size) + break; + if (buffer) { /* Check if we can use field ea->name */ if (off + ea_size > size)