diff options
| author | YangWen <anmuxixixi@gmail.com> | 2025-09-10 23:17:08 +0800 |
|---|---|---|
| committer | Konstantin Komarov <almaz.alexandrovich@paragon-software.com> | 2025-10-17 16:45:37 +0200 |
| commit | 02f312754c873efe076888a2fdca982e56617929 (patch) | |
| tree | e5d7187b67c5d052e593392c4faa3f51592fca9e | |
| parent | 68f6bd128e75a032432eda9d16676ed2969a1096 (diff) | |
ntfs3: fix use-after-free of sbi->options in cmp_fnames
The root cause is that sbi->options points directly to fc->fs_private.
If fc->fs_private is freed while sbi still exists, sbi->options becomes
a dangling pointer.
This patch ensures that sbi->options is a separate copy of fc->fs_private
and duplicates nls_name if present. On superblock release or error,
sbi->options->nls_name and sbi->options are freed and sbi->options
is set to NULL to avoid any dangling pointer.
Reported-by: syzbot+d77c546c60db651a389c@syzkaller.appspotmail.com
Signed-off-by: YangWen <anmuxixixi@gmail.com>
[almaz.alexandrovich@paragon-software.com: remove syzbot logs from description]
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
| -rw-r--r-- | fs/ntfs3/super.c | 47 |
1 files changed, 39 insertions, 8 deletions
diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c index 9f69316d77b6..aae1f32f4dab 100644 --- a/fs/ntfs3/super.c +++ b/fs/ntfs3/super.c @@ -702,6 +702,14 @@ static void ntfs_put_super(struct super_block *sb) /* Mark rw ntfs as clear, if possible. */ ntfs_set_state(sbi, NTFS_DIRTY_CLEAR); + + if (sbi->options) { + unload_nls(sbi->options->nls); + kfree(sbi->options->nls); + kfree(sbi->options); + sbi->options = NULL; + } + ntfs3_put_sbi(sbi); } @@ -1203,7 +1211,8 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc) int err; struct ntfs_sb_info *sbi = sb->s_fs_info; struct block_device *bdev = sb->s_bdev; - struct ntfs_mount_options *options; + struct ntfs_mount_options *fc_opts; + struct ntfs_mount_options *options = NULL; struct inode *inode; struct ntfs_inode *ni; size_t i, tt, bad_len, bad_frags; @@ -1220,20 +1229,35 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc) ref.high = 0; sbi->sb = sb; - sbi->options = options = fc->fs_private; - fc->fs_private = NULL; + fc_opts = fc->fs_private; + if (!fc_opts) { + errorf(fc, "missing mount options"); + return -EINVAL; + } + options = kmemdup(fc_opts, sizeof(*fc_opts), GFP_KERNEL); + if (!options) + return -ENOMEM; + + if (fc_opts->nls_name) { + options->nls_name = kstrdup(fc_opts->nls_name, GFP_KERNEL); + if (!options->nls_name) { + kfree(options); + return -ENOMEM; + } + } + sbi->options = options; sb->s_flags |= SB_NODIRATIME; sb->s_magic = 0x7366746e; // "ntfs" sb->s_op = &ntfs_sops; sb->s_export_op = &ntfs_export_ops; sb->s_time_gran = NTFS_TIME_GRAN; // 100 nsec sb->s_xattr = ntfs_xattr_handlers; - set_default_d_op(sb, options->nocase ? &ntfs_dentry_ops : NULL); + set_default_d_op(sb, sbi->options->nocase ? &ntfs_dentry_ops : NULL); - options->nls = ntfs_load_nls(options->nls_name); - if (IS_ERR(options->nls)) { - options->nls = NULL; - errorf(fc, "Cannot load nls %s", options->nls_name); + sbi->options->nls = ntfs_load_nls(sbi->options->nls_name); + if (IS_ERR(sbi->options->nls)) { + sbi->options->nls = NULL; + errorf(fc, "Cannot load nls %s", fc_opts->nls_name); err = -EINVAL; goto out; } @@ -1645,6 +1669,13 @@ load_root: put_inode_out: iput(inode); out: + if (sbi && sbi->options) { + unload_nls(sbi->options->nls); + kfree(sbi->options->nls); + kfree(sbi->options); + sbi->options = NULL; + } + ntfs3_put_sbi(sbi); kfree(boot2); return err; |