exfat: fix improper check of dentry.stream.valid_size

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

We found an infinite loop bug in the exFAT file system that can lead to a
Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is
malformed, the following system calls — SYS_openat, SYS_ftruncate, and
SYS_pwrite64 — can cause the kernel to hang.

Root cause analysis shows that the size validation code in exfat_find()
does not check whether dentry.stream.valid_size is negative. As a result,
the system calls mentioned above can succeed and eventually trigger the DoS
issue.

This patch adds a check for negative dentry.stream.valid_size to prevent
this vulnerability.

Co-developed-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Co-developed-by: Jihoon Kwon <jimmyxyz010315@gmail.com>
Signed-off-by: Jihoon Kwon <jimmyxyz010315@gmail.com>
Signed-off-by: Jaehun Gou <p22gone@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

authored by

Jaehun Gou and committed by

Namjae Jeon 5 months ago 82ebecdc 9b332cec

+5 -1

1 changed file

expand all

exfat

namei.c

+5 -1

fs/exfat/namei.c

··· 642 642 643 643 info->type = exfat_get_entry_type(ep); 644 644 info->attr = le16_to_cpu(ep->dentry.file.attr); 645 - info->size = le64_to_cpu(ep2->dentry.stream.valid_size); 646 645 info->valid_size = le64_to_cpu(ep2->dentry.stream.valid_size); 647 646 info->size = le64_to_cpu(ep2->dentry.stream.size); 647 + 648 + if (info->valid_size < 0) { 649 + exfat_fs_error(sb, "data valid size is invalid(%lld)", info->valid_size); 650 + return -EIO; 651 + } 648 652 649 653 if (unlikely(EXFAT_B_TO_CLU_ROUND_UP(info->size, sbi) > sbi->used_clusters)) { 650 654 exfat_fs_error(sb, "data size is invalid(%lld)", info->size);