summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHyunchul Lee <hyc.lee@gmail.com>2026-03-17 14:13:44 +0900
committerNamjae Jeon <linkinjeon@kernel.org>2026-04-07 18:36:13 +0900
commit14f0a13ec79dfa63e143ea45e6530d80bec6e291 (patch)
tree94084a93788bcc9bd723afec7d08458c3eb87690
parenta198a0c4b898f7c62f240a5b6baef93e456fb033 (diff)
downloadlwn-14f0a13ec79dfa63e143ea45e6530d80bec6e291.tar.gz
lwn-14f0a13ec79dfa63e143ea45e6530d80bec6e291.zip
ntfs: remove redundant out-of-bound checks
Remove redundant out-of-bounds validations. Since ntfs_attr_find and ntfs_external_attr_find now validate the attribute value offsets and lengths against the bounds of the MFT record block, performing subsequent bounds checking in caller functions like ntfs_attr_lookup is no longer necessary. Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Diffstat
-rw-r--r--fs/ntfs/inode.c28
-rw-r--r--fs/ntfs/namei.c8
-rw-r--r--fs/ntfs/super.c6
3 files changed, 0 insertions, 42 deletions
diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
index 314741a40369..16890d411194 100644
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -757,12 +757,6 @@ static int ntfs_read_locked_inode(struct inode *vi)
}
a = ctx->attr;
/* Get the standard information attribute value. */
- if ((u8 *)a + le16_to_cpu(a->data.resident.value_offset)
- + le32_to_cpu(a->data.resident.value_length) >
- (u8 *)ctx->mrec + vol->mft_record_size) {
- ntfs_error(vi->i_sb, "Corrupt standard information attribute in inode.");
- goto unm_err_out;
- }
si = (struct standard_information *)((u8 *)a +
le16_to_cpu(a->data.resident.value_offset));
@@ -849,13 +843,6 @@ static int ntfs_read_locked_inode(struct inode *vi)
goto unm_err_out;
}
} else /* if (!a->non_resident) */ {
- if ((u8 *)a + le16_to_cpu(a->data.resident.value_offset)
- + le32_to_cpu(
- a->data.resident.value_length) >
- (u8 *)ctx->mrec + vol->mft_record_size) {
- ntfs_error(vi->i_sb, "Corrupt attribute list in inode.");
- goto unm_err_out;
- }
/* Now copy the attribute list. */
memcpy(ni->attr_list, (u8 *)a + le16_to_cpu(
a->data.resident.value_offset),
@@ -954,10 +941,6 @@ view_index_meta:
ir = (struct index_root *)((u8 *)a +
le16_to_cpu(a->data.resident.value_offset));
ir_end = (u8 *)ir + le32_to_cpu(a->data.resident.value_length);
- if (ir_end > (u8 *)ctx->mrec + vol->mft_record_size) {
- ntfs_error(vi->i_sb, "$INDEX_ROOT attribute is corrupt.");
- goto unm_err_out;
- }
index_end = (u8 *)&ir->index +
le32_to_cpu(ir->index.index_length);
if (index_end > ir_end) {
@@ -1552,10 +1535,6 @@ static int ntfs_read_locked_index_inode(struct inode *base_vi, struct inode *vi)
ir = (struct index_root *)((u8 *)a + le16_to_cpu(a->data.resident.value_offset));
ir_end = (u8 *)ir + le32_to_cpu(a->data.resident.value_length);
- if (ir_end > (u8 *)ctx->mrec + vol->mft_record_size) {
- ntfs_error(vi->i_sb, "$INDEX_ROOT attribute is corrupt.");
- goto unm_err_out;
- }
index_end = (u8 *)&ir->index + le32_to_cpu(ir->index.index_length);
if (index_end > ir_end) {
ntfs_error(vi->i_sb, "Index is corrupt.");
@@ -1999,13 +1978,6 @@ int ntfs_read_inode_mount(struct inode *vi)
goto put_err_out;
}
} else /* if (!ctx.attr->non_resident) */ {
- if ((u8 *)a + le16_to_cpu(
- a->data.resident.value_offset) +
- le32_to_cpu(a->data.resident.value_length) >
- (u8 *)ctx->mrec + vol->mft_record_size) {
- ntfs_error(sb, "Corrupt attribute list attribute.");
- goto put_err_out;
- }
/* Now copy the attribute list. */
memcpy(ni->attr_list, (u8 *)a + le16_to_cpu(
a->data.resident.value_offset),
diff --git a/fs/ntfs/namei.c b/fs/ntfs/namei.c
index ba42c566940a..10894de519c3 100644
--- a/fs/ntfs/namei.c
+++ b/fs/ntfs/namei.c
@@ -274,7 +274,6 @@ handle_name:
}
do {
struct attr_record *a;
- u32 val_len;
err = ntfs_attr_lookup(AT_FILE_NAME, NULL, 0, 0, 0,
NULL, 0, ctx);
@@ -289,15 +288,8 @@ handle_name:
a = ctx->attr;
if (a->non_resident || a->flags)
goto eio_err_out;
- val_len = le32_to_cpu(a->data.resident.value_length);
- if (le16_to_cpu(a->data.resident.value_offset) +
- val_len > le32_to_cpu(a->length))
- goto eio_err_out;
fn = (struct file_name_attr *)((u8 *)ctx->attr + le16_to_cpu(
ctx->attr->data.resident.value_offset));
- if ((u32)(fn->file_name_length * sizeof(__le16) +
- sizeof(struct file_name_attr)) > val_len)
- goto eio_err_out;
} while (fn->file_name_type != FILE_NAME_WIN32);
/* Convert the found WIN32 name to current NLS code page. */
diff --git a/fs/ntfs/super.c b/fs/ntfs/super.c
index 39a5c3b81001..22dc7865eca7 100644
--- a/fs/ntfs/super.c
+++ b/fs/ntfs/super.c
@@ -1512,7 +1512,6 @@ iput_volume_failed:
if (ntfs_attr_lookup(AT_VOLUME_INFORMATION, NULL, 0, 0, 0, NULL, 0,
ctx) || ctx->attr->non_resident || ctx->attr->flags) {
-err_put_vol:
ntfs_attr_put_search_ctx(ctx);
get_ctx_vol_failed:
unmap_mft_record(NTFS_I(vol->vol_ino));
@@ -1520,11 +1519,6 @@ get_ctx_vol_failed:
}
vi = (struct volume_information *)((char *)ctx->attr +
le16_to_cpu(ctx->attr->data.resident.value_offset));
- /* Some bounds checks. */
- if ((u8 *)vi < (u8 *)ctx->attr || (u8 *)vi +
- le32_to_cpu(ctx->attr->data.resident.value_length) >
- (u8 *)ctx->attr + le32_to_cpu(ctx->attr->length))
- goto err_put_vol;
/* Copy the volume flags and version to the struct ntfs_volume structure. */
vol->vol_flags = vi->flags;
vol->major_ver = vi->major_ver;