Description

In the Linux kernel, the following vulnerability has been resolved: ntfs: set dummy blocksize to read boot_block when mounting When mounting, sb->s_blocksize is used to read the boot_block without being defined or validated. Set a dummy blocksize before attempting to read the boot_block. The issue can be triggered with the following syz reproducer: mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x0) r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0) ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000) mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000000)='ntfs3\x00', 0x2208004, 0x0) syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0) Here, the ioctl sets the bdev block size to 16384. During mount, get_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)), but since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leaves sb->s_blocksize at zero. Later, ntfs_init_from_boot() attempts to read the boot_block while sb->s_blocksize is still zero, which triggers the bug. [almaz.alexandrovich@paragon-software.com: changed comment style, added return value handling]

References 5

• git.kernel.org https://git.kernel.org/stable/c/0c9327c8abf9c8f046e45008bb43d94d8ee5c6c5
• git.kernel.org https://git.kernel.org/stable/c/44a38eb4f7876513db5a1bccde74de9bc4389d43
• git.kernel.org https://git.kernel.org/stable/c/4fff9a625da958a33191c8553a03283786f9f417
• git.kernel.org https://git.kernel.org/stable/c/b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a
• git.kernel.org https://git.kernel.org/stable/c/d1693a7d5a38acf6424235a6070bcf5b186a360d

Remediation