1. Patchew
  2. linux
  3. View series

[PATCH] ntfs3: fix out-of-bounds read in decompress_lznt

Tristan Madani posted 1 patch 1 month, 4 weeks ago 
fs/ntfs3/lznt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] ntfs3: fix out-of-bounds read in decompress_lznt
Posted by Tristan Madani 1 month, 4 weeks ago 
From: Tristan Madani <tristan@talencesecurity.com>

decompress_lznt() does not validate array index bounds before accessing
the decompression table. A corrupted NTFS3 image with invalid compressed
data can trigger an out-of-bounds read.

Add index bounds checking to prevent the OOB access.

Reported-by: syzbot+39b2fb0f2638669008ec@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/ntfs3/lznt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ntfs3/lznt.c b/fs/ntfs3/lznt.c
index fdc9b2ebf3410..f818d97850049 100644
--- a/fs/ntfs3/lznt.c
+++ b/fs/ntfs3/lznt.c
@@ -240,7 +240,7 @@ static inline ssize_t decompress_chunk(u8 *unc, u8 *unc_end, const u8 *cmpr,
 		if (up - unc > LZNT_CHUNK_SIZE)
 			return -EINVAL;
 		/* Correct index */
-		while (unc + s_max_off[index] < up)
+		while (index < ARRAY_SIZE(s_max_off) - 1 && unc + s_max_off[index] < up)
 			index += 1;
 
 		/* Check the current flag for zero. */
-- 
2.47.3
Re: [PATCH] ntfs3: fix out-of-bounds read in decompress_lznt
Posted by Konstantin Komarov 1 month, 2 weeks ago 
On 4/18/26 15:11, Tristan Madani wrote:

> [You don't often get email from tristmd@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> From: Tristan Madani <tristan@talencesecurity.com>
>
> decompress_lznt() does not validate array index bounds before accessing
> the decompression table. A corrupted NTFS3 image with invalid compressed
> data can trigger an out-of-bounds read.
>
> Add index bounds checking to prevent the OOB access.
>
> Reported-by: syzbot+39b2fb0f2638669008ec@syzkaller.appspotmail.com
> Cc: stable@vger.kernel.org
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
> ---
>   fs/ntfs3/lznt.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/ntfs3/lznt.c b/fs/ntfs3/lznt.c
> index fdc9b2ebf3410..f818d97850049 100644
> --- a/fs/ntfs3/lznt.c
> +++ b/fs/ntfs3/lznt.c
> @@ -240,7 +240,7 @@ static inline ssize_t decompress_chunk(u8 *unc, u8 *unc_end, const u8 *cmpr,
>                  if (up - unc > LZNT_CHUNK_SIZE)
>                          return -EINVAL;
>                  /* Correct index */
> -               while (unc + s_max_off[index] < up)
> +               while (index < ARRAY_SIZE(s_max_off) - 1 && unc + s_max_off[index] < up)
>                          index += 1;
>
>                  /* Check the current flag for zero. */
> --
> 2.47.3
>
Hello,

Sorry for the delay.
Your patch is applied, thank you.

Regards,
Konstantin

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.