Re: [syzbot] [ntfs3?] KASAN: use-after-free Read in bcmp

[Pavel Skripkin]

Hi Syzbot,

Syzbot <syzbot+53ce40c8c0322c06aea5@xxxxxxxxxxxxxxxxxxxxxxxxx> says:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    8689f4f2ea56 Merge tag 'mmc-v6.5-2' of git://git.kernel.or..
> git tree:       upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1658af44a80000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=15873d91ff37a949
> dashboard link: https://syzkaller.appspot.com/bug?extid=53ce40c8c0322c06aea5
> compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12f82688a80000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12d54a78a80000

#syz test 
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master





With regards,
Pavel Skripkindiff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index 1a02072b6b0e..e04e89b7335e 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -855,6 +855,11 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size,
 
 check_boot:
 	err = -EINVAL;
+
+	/* Corrupted image; do not read OOB */
+	if (bh->b_size - sizeof(*boot) < boot_off)
+		goto out;
+
 	boot = (struct NTFS_BOOT *)Add2Ptr(bh->b_data, boot_off);
 
 	if (memcmp(boot->system_id, "NTFS    ", sizeof("NTFS    ") - 1)) {