From nobody Sat Feb  7 22:21:27 2026
Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com
 [209.85.210.170])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id ADFB928CF5F
	for <linux-kernel@vger.kernel.org>; Tue,  2 Dec 2025 11:01:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.170
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764673277; cv=none;
 b=nOgqWposFN/ZSwQtzojupoEmvhFIq3TGTBvhGALUbPCLixygpRMH8IyDnCMlgaIPlT6CXQooPViyclFVYjTJn9QEGIKYC5xE1lVYLI5uGjjX2yeP3xq7RHpp0oSCOUXWXz04eFivlPsMui+3JIcRGO30a9rUvWgdV80U3wl1fD8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764673277; c=relaxed/simple;
	bh=f1g9bUGgHszvI7qIQ9jSyi96ql4FrsjG/3vIj0XzzRA=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=NRq3BrCsy8+xeysiseJDOxqwUPdOoBOc3nWZ0V3UdO2BhJK/PcLcbmSvBntmxd6s8g+64rFAvJMZdi9klKwbQ8KPdlWol7HK+zq5h5CBRz5HiqDw6Vx27OANmpeicA/rDaueoiNYcChDAH/fEEVkC8C0ULk79rke9btokdXq5lk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=en9uusym; arc=none smtp.client-ip=209.85.210.170
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="en9uusym"
Received: by mail-pf1-f170.google.com with SMTP id
 d2e1a72fcca58-7aab7623f42so5765649b3a.2
        for <linux-kernel@vger.kernel.org>;
 Tue, 02 Dec 2025 03:01:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1764673275; x=1765278075;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=uwS+WqhsHjuke59XDWQDtSJcKHrpaHNJZnKNq9EuZMw=;
        b=en9uusymrgwuJRTTTOFWeqc/m6c/rxTfR7dSvZtYQ7+HajBoNH4WU7acgrUxmw+Cpx
         dDW4fDHZQehOY8oXXGcGC7DoLIv20kBOLnoUnxRGVUE+gdPEY3tDg1t84xyNm1jhlidG
         U5Ks6+FMG8lDPFHbjex1X/hUkgVBRXfhmejnNj30LKA0xj/lQ9JS/irZAmrnKp5csMqY
         IbVH9bdkYUEua+fzbu5pAY3PrGcBQOb7rHtXGEY5K76H9mj+leuuNcg2ot993f/2hQL4
         myVbHt/p4OcvThtKhwE0Tbac/+Id0DptSk/g+DCPZ+LICYDtIfXQasKZ64yFdBpXu1OE
         TpSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764673275; x=1765278075;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=uwS+WqhsHjuke59XDWQDtSJcKHrpaHNJZnKNq9EuZMw=;
        b=NjOSptL16eBAEA8wclDCskb/qld4SiFjix+KX4pYSe16ascra3/OvBBZCGWRqlI0yR
         kVTG0jl9RCaWnfW1gzeaknMTk8ZzS7GaEVA+QjJxo78rHBSQumVNFbRNmrr79xRoCqYt
         6OU+i4dAxBrjvOks8ySegvwZciYv4TwR30eyhqzx8C08s6PIXfk60rzv2Jq7n3i2EIjZ
         N70q29h9dZHJHiYR6tqggiWPVmy/e39q2krC1KZrRHBd4pMjuvfBGBX9kurXbTeLOmnu
         pPKoYkplvabyuWXGphdufeOYNsJfp/PrM1qcWB5w4xNgP656DOIl6GhQNVPNqS5YIJ/w
         Zi1w==
X-Forwarded-Encrypted: i=1;
 AJvYcCVlIDKVXTU6DTykrcgrD0/2KobbKBm9ZPX7FHN+k9kdNhYS4P30IvSxfoeLC3ton+mQ6jEHKcAD4dasKYA=@vger.kernel.org
X-Gm-Message-State: AOJu0YwCP1mdn0PulrrCs0ozUP7gL5HxM9XPGOZX3lZD1lD8CprDeY5K
	t7zGESsZ2/5TVxHaksLEnGmqtKYvdyrFLqoszit3SQAJAah/9zmZDEt9pa2Czw==
X-Gm-Gg: ASbGncuu3Rr4eSKXERdt+pAu6JQLcjbdt2MYjlvVDt+ZfXxo2m0me7WnRUpAU5vYtGH
	dGFZqsaQ9K0NfaEK1qsWhbGmGvB/Zf/JiXM5gaEN5jJZ4ULcVT8YYbo8AsVOsF99x70+VlLh6P3
	ewuC9fGvRXk8RAMZiAanKzXswCfUx8Qa4OHzWc6rr0nL0aQxDIq+aAgeG8Y+JJkcMwfj6KA8SFy
	P+t6qynK8ZbPBX5rPDmI/5iFyKhWF2JVC47/8D+6cUCPXteNcRUq1fJvQl07zeWLRKo6OJTqL0a
	OJ0wwwn8ZQhPPXzMVDEue3zkkTye30GRYVk0Vrr1Al5pHlBp5wLFJ/mJ+Bu9p0Te05en+Mb8EPE
	+IfLMgXx4NLVUnr9QWDN6TWYqDaK6Nj1Z2cg/sq/Edpqr8Q4CDah3AI5uVR1CE9BQjzgMQmo8Sn
	QpOA==
X-Google-Smtp-Source: 
 AGHT+IHXE1nq98kZ2mHUg3aRKw0Tpvv5fKs7t+91cMQI+NUwiWcWV7PC6e9t6qTCTBSAW27/RbXc1w==
X-Received: by 2002:a05:6a20:729f:b0:361:2d0c:fd81 with SMTP id
 adf61e73a8af0-3614eda84f6mr47967215637.28.1764673274714;
        Tue, 02 Dec 2025 03:01:14 -0800 (PST)
Received: from OSVS.. ([183.101.168.247])
        by smtp.gmail.com with ESMTPSA id
 41be03b00d2f7-be4fbb003a1sm15153818a12.8.2025.12.02.03.01.12
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Dec 2025 03:01:14 -0800 (PST)
From: Jaehun Gou <p22gone@gmail.com>
To: almaz.alexandrovich@paragon-software.com
Cc: ntfs3@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	Jaehun Gou <p22gone@gmail.com>,
	Seunghun Han <kkamagui@gmail.com>,
	Jihoon Kwon <kjh010315@gmail.com>
Subject: [PATCH] fs: ntfs3: fix infinite loop in attr_load_runs_range on
 inconsistent metadata
Date: Tue,  2 Dec 2025 20:01:09 +0900
Message-ID: <20251202110109.1885939-1-p22gone@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

We found an infinite loop bug in the ntfs3 file system that can lead to a
Denial-of-Service (DoS) condition.

A malformed NTFS image can cause an infinite loop when an attribute header
indicates an empty run list, while directory entries reference it as
containing actual data. In NTFS, setting evcn=3D-1 with svcn=3D0 is a valid=
 way
to represent an empty run list, and run_unpack() correctly handles this by
checking if evcn + 1 equals svcn and returning early without parsing any run
data. However, this creates a problem when there is metadata inconsistency,
where the attribute header claims to be empty (evcn=3D-1) but the caller
expects to read actual data. When run_unpack() immediately returns success
upon seeing this condition, it leaves the runs_tree uninitialized with
run->runs as a NULL. The calling function attr_load_runs_range() assumes
that a successful return means that the runs were loaded and sets clen to 0,
expecting the next run_lookup_entry() call to succeed. Because runs_tree
remains uninitialized, run_lookup_entry() continues to fail, and the loop
increments vcn by zero (vcn +=3D 0), leading to an infinite loop.

This patch adds a retry counter to detect when run_lookup_entry() fails
consecutively after attr_load_runs_vcn(). If the run is still not found on
the second attempt, it indicates corrupted metadata and returns -EINVAL,
preventing the Denial-of-Service (DoS) vulnerability.

Co-developed-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Co-developed-by: Jihoon Kwon <kjh010315@gmail.com>
Signed-off-by: Jihoon Kwon <kjh010315@gmail.com>
Signed-off-by: Jaehun Gou <p22gone@gmail.com>
---
 fs/ntfs3/attrib.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c
index eced9013a881..f0ff85b7d76d 100644
--- a/fs/ntfs3/attrib.c
+++ b/fs/ntfs3/attrib.c
@@ -1354,19 +1354,28 @@ int attr_load_runs_range(struct ntfs_inode *ni, enu=
m ATTR_TYPE type,
 	CLST vcn;
 	CLST vcn_last =3D (to - 1) >> cluster_bits;
 	CLST lcn, clen;
-	int err;
+	int err =3D 0;
+	int retry =3D 0;
=20
 	for (vcn =3D from >> cluster_bits; vcn <=3D vcn_last; vcn +=3D clen) {
 		if (!run_lookup_entry(run, vcn, &lcn, &clen, NULL)) {
+			if (retry !=3D 0) { /* Next run_lookup_entry(vcn) also failed. */
+				err =3D -EINVAL;
+				break;
+			}
 			err =3D attr_load_runs_vcn(ni, type, name, name_len, run,
 						 vcn);
 			if (err)
-				return err;
+				break;
+
 			clen =3D 0; /* Next run_lookup_entry(vcn) must be success. */
+			retry++;
 		}
+		else
+			retry =3D 0;
 	}
=20
-	return 0;
+	return err;
 }
=20
 #ifdef CONFIG_NTFS3_LZX_XPRESS
--=20
2.43.0