From: Huacai Chen chenhuacai@loongson.cn
stable inclusion from stable-v5.15.164 commit 0484adcb5fbcadd9ba0fd4485c42630f72e97da9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKPVC CVE: CVE-2024-42299
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=t...
--------------------------------
commit 2fef55d8f78383c8e6d6d4c014b9597375132696 upstream.
If an NTFS file system is mounted to another system with different PAGE_SIZE from the original system, log->page_size will change in log_replay(), but log->page_{mask,bits} don't change correspondingly. This will cause a panic because "u32 bytes = log->page_size - page_off" will get a negative value in the later read_log_page().
Cc: stable@vger.kernel.org Fixes: b46acd6a6a627d876898e ("fs/ntfs3: Add NTFS journal") Signed-off-by: Huacai Chen chenhuacai@loongson.cn Signed-off-by: Konstantin Komarov almaz.alexandrovich@paragon-software.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Long Li leo.lilong@huawei.com --- fs/ntfs3/fslog.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index f78aa66313d2..fb56c4c33987 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3953,6 +3953,9 @@ int log_replay(struct ntfs_inode *ni, bool *initialized) goto out; }
+ log->page_mask = log->page_size - 1; + log->page_bits = blksize_bits(log->page_size); + /* If the file size has shrunk then we won't mount it. */ if (l_size < le64_to_cpu(ra2->l_size)) { err = -EINVAL;
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/11191 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/C...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/11191 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/C...