From: Huacai Chen chenhuacai@loongson.cn

stable inclusion from stable-v5.15.164 commit 0484adcb5fbcadd9ba0fd4485c42630f72e97da9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKPVC CVE: CVE-2024-42299

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=t...

--------------------------------

commit 2fef55d8f78383c8e6d6d4c014b9597375132696 upstream.

If an NTFS file system is mounted to another system with different PAGE_SIZE from the original system, log->page_size will change in log_replay(), but log->page_{mask,bits} don't change correspondingly. This will cause a panic because "u32 bytes = log->page_size - page_off" will get a negative value in the later read_log_page().

Cc: stable@vger.kernel.org Fixes: b46acd6a6a627d876898e ("fs/ntfs3: Add NTFS journal") Signed-off-by: Huacai Chen chenhuacai@loongson.cn Signed-off-by: Konstantin Komarov almaz.alexandrovich@paragon-software.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Long Li leo.lilong@huawei.com --- fs/ntfs3/fslog.c | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index f78aa66313d2..fb56c4c33987 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3953,6 +3953,9 @@ int log_replay(struct ntfs_inode *ni, bool *initialized) goto out; }

+ log->page_mask = log->page_size - 1; + log->page_bits = blksize_bits(log->page_size); + /* If the file size has shrunk then we won't mount it. */ if (l_size < le64_to_cpu(ra2->l_size)) { err = -EINVAL;