ntfs3: fix OOB read and integer overflow in run_unpack()

[PATCH 0/2] ntfs3: fix OOB read and integer overflow in run_unpack()

tobgaertner posted 2 patches 3 days, 21 hours ago

Download series mbox

fs/ntfs3/run.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)

Expand all Fold all

[PATCH 0/2] ntfs3: fix OOB read and integer overflow in run_unpack()

Posted by tobgaertner 3 days, 21 hours ago

From: Tobias Gaertner <tob.gaertner@me.com>

Two bugs in run_unpack() found by fuzzing with a source-patched harness
(LibAFL + QEMU ARM64 system-mode):

Patch 1: run_unpack() checks `run_buf < run_last` at the loop top but
then reads size_size and offset_size bytes via run_unpack_s64() without
verifying they fit in the remaining buffer.  A crafted NTFS image with
truncated run data triggers a heap OOB read of up to 15 bytes on mount.

Patch 2: The volume boundary check `lcn + len > sbi->used.bitmap.nbits`
uses raw addition that can wrap for large values, bypassing the
validation.  CVE-2025-40068 added check_add_overflow() for adjacent
arithmetic but missed this instance.

Both bugs are present since NTFS3 was merged in 5.15.

Could CVE IDs be assigned for these two issues?

tobgaertner (2):
  ntfs3: add buffer boundary checks to run_unpack()
  ntfs3: fix integer overflow in run_unpack() volume boundary check

 fs/ntfs3/run.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

-- 
2.43.0