[PATCH v5 4/4] ntfs: validate index root allocated_size on lookup

[DaeMyung Kang]

The resident $INDEX_ROOT validator already checks the index root header
fields, but it still does not bound index_length through allocated_size or
ensure allocated_size stays within the resident index area.

Callers consume index.allocated_size as the resident root capacity.
ntfs_ie_add() uses it to decide whether an insertion can be done in place,
and ntfs_ie_insert() then updates the root without re-checking the resident
value boundary.

Read allocated_size in the resident $INDEX_ROOT validator, require it to be
8-byte aligned, require index_length <= allocated_size, and require
allocated_size <= the resident index area. Valid slack remains allowed.

Signed-off-by: DaeMyung Kang <charsyam@xxxxxxxxx>
---
 fs/ntfs/attrib.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c
index cf49eade6b22..49c8f1f3b9dd 100644
--- a/fs/ntfs/attrib.c
+++ b/fs/ntfs/attrib.c
@@ -657,15 +657,19 @@ static bool ntfs_index_root_attr_value_is_valid(const u8 *value, const u32 value
 	u32 index_size;
 	u32 entries_offset;
 	u32 index_length;
+	u32 allocated_size;
 
 	ir = (const struct index_root *)value;
 	index_size = value_length - offsetof(struct index_root, index);
 	entries_offset = le32_to_cpu(ir->index.entries_offset);
 	index_length = le32_to_cpu(ir->index.index_length);
+	allocated_size = le32_to_cpu(ir->index.allocated_size);
 
-	if ((entries_offset | index_length) & 7 ||
+	if ((entries_offset | index_length | allocated_size) & 7 ||
 	    entries_offset < sizeof(struct index_header) ||
 	    entries_offset > index_length ||
+	    index_length > allocated_size ||
+	    allocated_size > index_size ||
 	    index_length - entries_offset < sizeof(struct index_entry_header))
 		return false;
 
-- 
2.43.0