From nobody Sun Feb 8 07:48:13 2026 Received: from mail-ot1-f51.google.com (mail-ot1-f51.google.com [209.85.210.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1F90417BCA for ; Sat, 17 Jan 2026 18:49:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768675750; cv=none; b=BTYkVSNyNkTPqTQxD01ohwCV9B2i0jMryYF0Ls7i/ohgLRGPhUT6DVR3QwNSC3uFcGhKDnKf6Seimtue8fGOrK20ONr2xv3HFtETknnVF12zOkI7LQgLWh2mejlK9LjiKjgZELvziOL7rjB+B0DtIil0t9dffTQK3lLLDltSpCY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768675750; c=relaxed/simple; bh=gkmYEbGAgHevoVkA4IYHSzkeHVNrwaV7mJJGhZL6XUc=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=RG0LLRHc0FR9jq0eC+Lmj6nMWSs2kQLzI7QPSXcZbXdO6yOULA7OSyAFh+Q8w873N4ywiJ2tNqPdi/0RvtycsaohcdjQJ04IrE39Bicr1/PM6LCoTQSk0nWYzFJWB67Q2i4UV7DBjHh8xEz9+87wp4uJit822in4jSvo6s4Mz+Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=iK7s5ss3; arc=none smtp.client-ip=209.85.210.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iK7s5ss3" Received: by mail-ot1-f51.google.com with SMTP id 46e09a7af769-7cfd95f77a3so1910614a34.0 for ; Sat, 17 Jan 2026 10:49:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768675747; x=1769280547; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=RHRHsas+GYQE45QujBos5PnyFEN/pq1yF5D0rtwwmZo=; b=iK7s5ss3v5bAlrXShtCn5JMRTBqW8aLUXG8ibNZt7yTXtLwE6033dAICyFzqE58Kmm T9qvY6uK+JqB1As2aTJmhlMKLfTLgwkBaTE7ugYe09+dvs5f44L4LyH+zRM0bgS+CnEf bgkkHeaRlC2m6jpzOjwbFKBqhDFIsTB/yMgBqjqUWkKNPFCVB7NPxqa0+S35p/oU8EJF rmy1XIAWLENo+wlsCRvo7t2oOrlW5+DiTrlBD+J0TjvDMEPkbc97LA3BwceAcrYoF0do sd95MKVRXOtn9HjnwAnh1nplXHzfRWDIh4i2XkOkR+oTWtpMljDcMYAVh+b00xov+PH3 RzGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768675747; x=1769280547; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=RHRHsas+GYQE45QujBos5PnyFEN/pq1yF5D0rtwwmZo=; b=eVJvnDnDHVnpsHg6XWpXJ61pw06N7sNe1D3QKEKB7iNFf2C/RXPXxp4viuHkxSQs1I 3EvQS44SFxfFefqrJ9mWU0YzLx5Ehv2tPWP2L8cRceAUZK8LCuMv+Nkm8SsPpnBB64vn Xtyc6YQiexKWy43JHJ/SJPWOd6ZA5WDdM8HW3Bq/g6Gh+JJqicCFvFe2Ee/EUMaCKnZ3 9nISy9O1Vdqc9GRsBWaB9dhYIQ0K0Rz8YqjyqyagrVxOi85maRCA4yW5znbswSxjHl+p hIjwkTMaBTzR8n5v2xOkQ4hhvxI0V1bwQLsUFHXwNZsFfmXpVjR618UtfqrPbbVZ97Bw LQaw== X-Forwarded-Encrypted: i=1; AJvYcCVi9eph0gHNAx08DqjGnbbqZ4VafFmZHXijjTmUuY+IB9jFyD+6SgkoLQ0zFSLEXHZgIcpa/aZn4jMRT/8=@vger.kernel.org X-Gm-Message-State: AOJu0Yzi8JnnREgrb+CX/NTeJMo0yKMGo2zZynnIEptFxSXPC5tu4ov6 v6XDJFau4NqdXGweVZyS+b8CVra5K1Sfk2KDT2NxJK0W7Tr/1ZRzg7tL X-Gm-Gg: AY/fxX7P5XPMWSIOOQDf656heC3SfRShnJLIxkA8kWI/PuNgqYeKLxNCKHQ9qFONPtu gxPbyZxB51+Jj4g9vnC/njVqMynXZD8X1ntovha9mgfGLbq03aV1w5ow4SZSDrOKMz+OZQqqPA5 40lof+NhumciTDKlFdGMfGRk1ydHYYFiLqjpwMDGkLZGcHUYRiupjWLpuP7xOeNy4DBHqd9vaF3 Ed91VPF9Ds0WbdwQ0yVCgXlhEQocyP/8+sg4SDIOhUhRuGVQ9sYjpR8ozHjOQ4/NeuBsUiZ7mNe oNy7CsfiyUDyIprpRX6Za6Fr7NmLbsJI3IgCm3+gOlyFunlYYMf9k7Un5eu+1PZzYbyNMt5hRqV Mh53SuXApQdjxeRPT3Yw1X6zFdIUkW7bd8r0ZjuJXNFg53Gs+h6EqJOHKrijFwXbcCOFP5dQ7o6 E0XKRWxsgV4Y6sGpBtekTFNhxDgKbML3FaAU6prUo7qJc= X-Received: by 2002:a05:6830:7305:b0:7cf:d0f4:125c with SMTP id 46e09a7af769-7cfdfe21ebemr3823903a34.8.1768675742195; Sat, 17 Jan 2026 10:49:02 -0800 (PST) Received: from newman.cs.purdue.edu ([128.10.127.250]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7cfdf2b57e2sm3833216a34.27.2026.01.17.10.49.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 17 Jan 2026 10:49:01 -0800 (PST) From: Jiasheng Jiang To: Konstantin Komarov , linux-kernel@vger.kernel.org Cc: ntfs3@lists.linux.dev, Jiasheng Jiang Subject: [PATCH] fs/ntfs3: Fix infinite loop in hdr_find_split due to zero-sized entry Date: Sat, 17 Jan 2026 18:48:59 +0000 Message-Id: <20260117184859.37979-1-jiashengjiangcool@gmail.com> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The function hdr_find_split iterates over index entries to calculate a split point. The loop increments the offset 'o' by 'esize', which is derived directly from the on-disk 'e->size' field. If a corrupted or malicious filesystem image contains an index entry with a size of 0, the variable 'o' will fail to advance. This results in an infinite loop if the condition 'o < used_2' remains true, causing a kernel hang (Denial of Service). This patch adds a sanity check to ensure 'esize' is at least the size of the NTFS_DE structure, consistent with validation logic in sibling functions like hdr_find_e. Signed-off-by: Jiasheng Jiang --- fs/ntfs3/index.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c index 7157cfd70fdc..da6927e6d360 100644 --- a/fs/ntfs3/index.c +++ b/fs/ntfs3/index.c @@ -577,6 +577,9 @@ static const struct NTFS_DE *hdr_find_split(const struc= t INDEX_HDR *hdr) return p; =20 esize =3D le16_to_cpu(e->size); + + if (esize < sizeof(struct NTFS_DE)) + return NULL; } =20 return e; --=20 2.25.1