From nobody Sun Feb 8 13:38:51 2026 Received: from mail-oi1-f172.google.com (mail-oi1-f172.google.com [209.85.167.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81A6C1B87C9 for ; Sat, 17 Jan 2026 16:50:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768668629; cv=none; b=M8LsWW/Sye43/wy96VRa4pgI0n5q+Og4tTUaE4XL141BF0temU3vnvM1HxEdXuDcqtGzYRv9HijCHCT8LnQLMyWSOEdMr3KRnrUOXnjdWxwkJ7B0W7xOT60FdN9PHgXbFLCV42F1Wd02dXrGc+Ds9scBXvZLJ4BmQV0Tz1sX/XE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768668629; c=relaxed/simple; bh=haRwb/gJXuLBkWW4peMKulg8+vFPEgplZ1pBTMkHHi0=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=rWpxKxo+BgoHFAqaGTMEH4sie9c85IdzgFxSslkqK542JwXeonAhP+ReF+RCHAioNwXRmr5SqBpqn3R1dohRaMItdLuK2f8po8YYFmXzhQgvI03MzlQqxqwYW7HX2AghEhXu1o7xiVun4ofzl+EO2AKSfFwFkhognMGI7sRgXJA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Rsf+MTof; arc=none smtp.client-ip=209.85.167.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Rsf+MTof" Received: by mail-oi1-f172.google.com with SMTP id 5614622812f47-45c93e60525so1495356b6e.0 for ; Sat, 17 Jan 2026 08:50:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768668627; x=1769273427; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=iSpCwACUwyOTmwdXYS74+KrtRzA6U66naHoZjyStwxs=; b=Rsf+MTofIbiGqLnpAw8sJ8TQj46hgz/23A1WJ8/JygjMviudbTl70zYQtkNax0HnYk KK0KJDEytiVOSjY+rr51RzUoCis6bdi8p6dWUGCWz3kwqx5d6meFRh9W470i/tX4kGHl c+8wC1rZQil3saPy7LjuorokLkc7nyrRustMjmYgkhKCuda6MmHjkqMHEhbVgqWJLZbk /Ohg0GGRayIfnzzL5J5b++Bq4Xwvb2Q4yEtoA8uccYTti3gdPEWaPyVBWKxNHJKEts7x X5DhoEPS0jYPQuSZ8QDw9oSz514kYMlvttv522tqU/LONRrAu//z5rrTT9h0mmQEzw9/ +eDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768668627; x=1769273427; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=iSpCwACUwyOTmwdXYS74+KrtRzA6U66naHoZjyStwxs=; b=qgaj+olaIKZ1k8ydIZDLAyCWzW9sCXM+fV+oWjorAzzTnDWIAzFyOf6jgmMvbNE+8X J9BocgX5P+a0bMhOUokR4MG9A34hScp1B4chQMymbxwZ9YlcwpL5otKbgCpASaBGDr9i j/nnZqkLvWf9eYUO396IBRmPJTywrttwOVeq3DWXKjTkLjiRaMN5FEUqpqC44/ko0U4e 5S53qzWT6dxufse5UNYyiJkOE52BzmN6m1uk2VEKFwSCEmiccvgjILR3lY/HUUVto1kD 70QKOVKsnVZbsyMMARnDmsplqVsd9sdZNUBBI6IHQ51tXNAmf9T4Em1nlQsl0meXg5Mj HnOw== X-Forwarded-Encrypted: i=1; AJvYcCVEBoNB9W/CIDa14NooXp9LDvso+GTwXYkMCyMS7TYLN2JNWe56VJ9OgI1rlu8+TZLZEw9OFxYTZpDK9Io=@vger.kernel.org X-Gm-Message-State: AOJu0YyMPJP7ucCw32E8dRxMthQhK0ahSNY7HCBsKibShgHSFBWZgPfw OfxWbWQ7fZLs9Tb6X67BxbtMd1KTg9VMDJ6VHW8VmhyAaX4o8lTO9Nfz X-Gm-Gg: AY/fxX7dXy4OfPDrb+zxf8Pw7P08+TbvDRkBcLvFHUJoyePi07JPPSm7vYCPQnrAf07 IkNDdJoDw7YCs4a0fl16525lzNvyxRwfLJzEM1gGSAathMNNo39Obu0I4B0DzhxQ0cOkWQfO4cm RllRoOEhVs/Iyv2dDbHZQb30CRruJtIRgL5nzJ+/4unEaWFXCuvQnFozfshLM0idytJy3GG0nwB yWBsSQKqYb+NemsSQ/6BVWoC5zqOAktaRZRB/NMGlGcsNXqLZNf7kLS25YR3MpXtgxWF9LYbI23 xfyFUeC6bfEQnP+sOB2qgyNV1GxF1FXH9FOkQwQ1RpsAmYDlNiUDa2UlamU4QsLjP6kLHUy86yJ FRrEw1J57OjOKxsR1521LY5EWo/sFMtNMojHjenp9upfsrSp4/Ai12zA7hHNshwgL09vsqmkkC2 8gLyhDlkgbYLEgDjI1iIP95k8kG58gMvZh X-Received: by 2002:a05:6808:650a:b0:45c:8d9d:8db4 with SMTP id 5614622812f47-45c9c0c3149mr2871930b6e.55.1768668627423; Sat, 17 Jan 2026 08:50:27 -0800 (PST) Received: from newman.cs.purdue.edu ([128.10.127.250]) by smtp.gmail.com with ESMTPSA id 586e51a60fabf-4044bda221asm3720247fac.20.2026.01.17.08.50.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 17 Jan 2026 08:50:26 -0800 (PST) From: Jiasheng Jiang To: Konstantin Komarov , linux-kernel@vger.kernel.org Cc: ntfs3@lists.linux.dev, Jiasheng Jiang Subject: [PATCH] fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot Date: Sat, 17 Jan 2026 16:50:24 +0000 Message-Id: <20260117165024.32827-1-jiashengjiangcool@gmail.com> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In the 'DeleteIndexEntryRoot' case of the 'do_action' function, the entry size ('esize') is retrieved from the log record without adequate bounds checking. Specifically, the code calculates the end of the entry ('e2') using: e2 =3D Add2Ptr(e1, esize); It then calculates the size for memmove using 'PtrOffset(e2, ...)', which subtracts the end pointer from the buffer limit. If 'esize' is maliciously large, 'e2' exceeds the used buffer size. This results in a negative offset which, when cast to size_t for memmove, interprets as a massive unsigned integer, leading to a heap buffer overflow. This commit adds a check to ensure that the entry size ('esize') strictly fits within the remaining used space of the index header before performing memory operations. Fixes: b46acd6a6a62 ("fs/ntfs3: Add NTFS journal") Signed-off-by: Jiasheng Jiang --- fs/ntfs3/fslog.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 38934e6978ec..28bd611f580d 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3429,6 +3429,9 @@ static int do_action(struct ntfs_log *log, struct OPE= N_ATTR_ENRTY *oe, =20 e1 =3D Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); esize =3D le16_to_cpu(e1->size); + if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) + goto dirty_vol; + e2 =3D Add2Ptr(e1, esize); =20 memmove(e1, e2, PtrOffset(e2, Add2Ptr(hdr, used))); --=20 2.25.1