From nobody Fri Jun 19 07:49:26 2026 Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 22CD9282F10 for ; Fri, 24 Apr 2026 02:46:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776998787; cv=none; b=ILUtTmyxHW2J7BixHzqq9qGkxYWKSO/VQolteTDcmjjbT1DQCKBuLAj/OTPE8pTtFNd57WtR4F/E5REdKCRzaBZ7g67cfaP3sflBUfZEK2JZmvNUideR4Zc5u33otV1tsYW80YJ2gmoluCYnEHaXu//YJYw4eUeaypekuWAaP5Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776998787; c=relaxed/simple; bh=VfyYwHWGlrY5Jx4f60bBcnTbt9cMGSnDpeyvqI4JBDY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=BWMTkJHCtGZvEmVOJxjmmPg3/GsKXGT+cR7cee4EjwoOgYzkKDkxX3orQ2S1UE8rialgDaCMVs/QlWszk7nr79MWTuH6d772SniV9Pb3gEqH9D3mIVAJZt/HDrutUGTx3NVtWZKniilXF7OAMCA2iqpbT6eGd0/M8IemM1GtJbo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=pvr+V3o9; arc=none smtp.client-ip=209.85.214.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="pvr+V3o9" Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-2b2d3a9e149so39393075ad.1 for ; Thu, 23 Apr 2026 19:46:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776998785; x=1777603585; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=izqMNVQLS36c79p5cxqQyOizh0xlVwrZZZeRTOpsEys=; b=pvr+V3o9tm4LzyeWEXpcmQgGQsUGtaa3Renj2yNBva6rDJ2E6yeVwHyZ1ok2jkEW/3 +qCIArodXYimZKqRLyI3B6N87YEPjq1j6MN7S8A+HLpF9FK1aTfrYRVmAaWGJ+p7IInZ ORpy9nZz4uT8aTmeJfiebqDKW0rK5xFx4U6cKoRzTPjItox0atyYTjY04SmvfycJl6WP x53lvK4vBA1pFbFgQOp8i5x2vQKv5cBPdCHMS6edZZGy8KY6NqUSKku3D25rkyML65V7 oOLXTfA5TGE/YNdmjJL7QZkAqOQaxc2IfoVFI938WveZnSNq/9dtES/DJfcr0jI3NBTZ SnmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776998785; x=1777603585; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=izqMNVQLS36c79p5cxqQyOizh0xlVwrZZZeRTOpsEys=; b=q3/FQM+VeElOArWB2+t8IJQnxvYAd+Bl32ohEmkjSct7jTuCRLpuDRjOFDZWpa0zWi zHtZeDKUxNJsSF3d6FKz1jhi71UmhabXlGw9z9t3mnONgOJ/EiSfJ5TBRopfyRJaAFia keX6QI1mT1x+LrH0x6HQqzHT4G906cKW0On/DJvvN7+6CbDLQ7rb9tBzsmj/68pIt+MZ rlBubr4o4rDuNTuBU1C5w1dm8voKL3LxbFCA6EGiQRoDbiBgVIrK8ga25bvq343aCIh+ N+AcvppyMxLVm9tAd8CMJ2BAlITnW6frx5C0S7HNXnFCoHyFAX3cGmfVaijJdvyvEbHB pHDA== X-Gm-Message-State: AOJu0Yz1/MPXAuYuuLYRlP4b9TAQ/fE/G8NewjiCceQ9hrdqDkQ6mE+Z THizD1wFnJ0r4x5xI1cJUVeAKcto22qiTARaBcP7uipB17paqbfJFGH8 X-Gm-Gg: AeBDietifubKX8y55kmW2jIGvd5O1b0SYlXn4eTIhy0CsqRmG0Y6v7+zHc4dGKqWuOc tLYXXQrlo5BRcmvP3dbKX3mi/qckmSr9ag+qkOXLgJ7ElYfXdxJVpVk9dfmjjg+IkQMZhBnqr6B Y6p7Rpp1oYo2M+F5HCKgZKuSBD2hXO2tefXSshucnjnr27HYxTXJlNWG+3upM+7qIz0B5U1XN4L T3FAUH8tHWE6/jXZG46kL37Q+7yIHY3+hiD6v6tmogsq3x24Yhf87Px8H7eIEeACd5S7gw3tfhV NCl6Z6v0RXEvkgmNN9rtanpExEHds2EyyhSLbAO9rMI0LIXpWK07FFzvxZZA/9xAJO1Ws4uDlmg pTr9F2TbDt3Ol5fPQOGqoX2RWfRR5mfAO9xBDE5n2AqTPu0WNNWFT6sfQP+KG8bIjjsLlGHOnQA UtBbHCFmWlKMYafc/we7w5+NrSgmuSufnxXTngoY9n93LYcJJ1JfchWKCPDg== X-Received: by 2002:a17:903:2781:b0:2b2:4dc4:18cc with SMTP id d9443c01a7336-2b5f9e5ec81mr172549895ad.12.1776998785372; Thu, 23 Apr 2026 19:46:25 -0700 (PDT) Received: from DESKTOP-MOQC9AF.mioffice.cn ([43.224.245.246]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b606ce9891sm168221975ad.83.2026.04.23.19.46.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 19:46:25 -0700 (PDT) From: Zhan Xusheng X-Google-Original-From: Zhan Xusheng To: Konstantin Komarov Cc: linux-kernel@vger.kernel.org, Zhan Xusheng Subject: [PATCH] fs/ntfs3: reject evcn == U64_MAX in mi_enum_attr() Date: Fri, 24 Apr 2026 10:46:19 +0800 Message-ID: <20260424024619.285630-1-zhanxusheng@xiaomi.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In mi_enum_attr(), the start/end VCN validation for non-resident attributes is: if (svcn > evcn + 1) goto out; When on-disk evcn is 0xFFFFFFFFFFFFFFFF (U64_MAX), the addition evcn + 1 wraps to 0, and the check becomes "if (svcn > 0)" which incorrectly accepts svcn =3D=3D 0 with evcn =3D=3D U64_MAX. mi_enum_attr() is the core attribute iterator used throughout ntfs3. Allowing this malformed VCN range to pass the initial validation can feed a bogus 64-bit extent span into downstream code that computes evcn + 1 - svcn (producing 0 due to wrap) or uses evcn as a loop bound. A crafted NTFS image can trigger this on mount or file access. Fix by explicitly rejecting evcn =3D=3D U64_MAX before the addition. Fixes: 013ff63b6494 ("fs/ntfs3: Add more attributes checks in mi_enum_attr(= )") Signed-off-by: Zhan Xusheng --- fs/ntfs3/record.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c index 32bdb034c2a3..2ff28bfbedad 100644 --- a/fs/ntfs3/record.c +++ b/fs/ntfs3/record.c @@ -311,7 +311,8 @@ struct ATTRIB *mi_enum_attr(struct ntfs_inode *ni, stru= ct mft_inode *mi, goto out; =20 /* Check start/end vcn. */ - if (le64_to_cpu(attr->nres.svcn) > le64_to_cpu(attr->nres.evcn) + 1) + if (le64_to_cpu(attr->nres.evcn) =3D=3D (u64)-1 || + le64_to_cpu(attr->nres.svcn) > le64_to_cpu(attr->nres.evcn) + 1) goto out; =20 data_size =3D le64_to_cpu(attr->nres.data_size); --=20 2.43.0