From nobody Sat Jun 13 07:47:12 2026 Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6645B382F2C for ; Sat, 9 May 2026 06:12:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778307171; cv=none; b=NG0Wzp0ulR2zMr2I/j6+bKGDcXGbUgJGU9ekbQJ8DiQbWQd2t3KvERR+Dd6aZRDrn99damLQWeUDQwqbxIsb/+0NZoQoJRh2KedyMuZfSofNnp/U4TwavM2fc4UBIeKmdeQbM6Tz95v1BiItsMXjZBI8bJehZ6PofD/S0YEa0hE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778307171; c=relaxed/simple; bh=x3U0+ik7ABX/ipLSzhLPhRGDfe/68tRYRIvR0CNMyFk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nAWRtjYjgAa5SK3SyMLyk447/LuvTiE/wgfwdDVLEttgfRtzWNb6vyYVVDEPu5gGi3E/Ep3oH5LkKxzzwTdigSyJQt/rN/8yspakeO39Xotw2qkCmWzRWZxZmcxtGoOu9+IpFKfDLxac2EhnA9Bpiwh0y2dvXauyZp2FilE8T+0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=P+f/AuHW; arc=none smtp.client-ip=209.85.215.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="P+f/AuHW" Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-c70e3eb3af1so103826a12.2 for ; Fri, 08 May 2026 23:12:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778307170; x=1778911970; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=znfabyFueBNEPqXXyOxpAPqjsy9bDnSpb0+GPews0kY=; b=P+f/AuHWaV4ZexxEQY2RRFRGTVJQVZfjn1pQ5S8d3MPW8y+t0/rDum/Bk/x+b1lkxb 5VV5Kn4qugZS2B2ygvsQXD+dHPMB5z0K0sPHNouHA+TaUVv0MI71CJSPxi/8fq8CwuOt hV1kdk6eeaokwGFrXC3FeZLXdJMdpiuZEKnWdbZbZnKtczeZ9YrgOKiMBt9dQW28khcg A44P/v/gzqVLuY3OBOHt9O5l91zIFs7NcfTIY0gdZOmXWjYwT99InG0xieb5KzWQmbYe oAIfVDQzd4oozzhGTJUXPy/Q8c1nuXFeggmVGFNtHp4N9VcyQw3TNaZBfLdbsRNGOMUV Ss7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778307170; x=1778911970; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=znfabyFueBNEPqXXyOxpAPqjsy9bDnSpb0+GPews0kY=; b=rt/MWvIMVl1xap1WFOUExYqO+t7s3SsxJE7b1d9dlB0Qptu2AdMKZF/qi0FQY7Sh5W mYvfLlI+aBZRPX6zxUHQOiWjHjQLbjMarT01asVhdmOyW9Mu0n8SKniBUO8LEffMsafN VLrNbLymQJKNMCPLeHPx9rmw+4U7hNO0jEp+vHb/AEe+wMiV3PejCMhvC8qlL80knKvC /ff6488yAJkTq8AflMws8fgvAvXu5xjAoUQiA8sPDgs71HV/EW9DcChA2tcrbiEEvlU/ 5JkyhVc8YEtelUpE+glOcS3jeew42921WmkRixPgzG6kQydKtrGlpBmu1TE0Hzshmg9d xVJg== X-Forwarded-Encrypted: i=1; AFNElJ9TM6dz+Y49Ha8Lm10Ad3JcJDeRRdoj5hlvxOSFLhqhw1ipoeaWFnT9ac5JcQAYDWfD1J+KKEkm+S10/zM=@vger.kernel.org X-Gm-Message-State: AOJu0YzNXJhY29lCVHfPGYG4tJzodQblA01koFPiVzI5yOYSBekIP7nx pgn8TDFL1HAwLg1gO1w6rg2OEyQWGEYmloaIFiqSmKAy7kqB/hlpJlWY X-Gm-Gg: Acq92OH9pjMcODlE9eZLqInnp2mzjx36GGRHfx77hZLWp19DoyDrRXbgre42zlBct5X 2xppmNBOJ1FPvzXqk1C6gFKPPy3mJBmCjA6oqKdc5dJzpZF05JH2mLLlQ0HpsqlvniqL0zrilcC MUdgizn90yIEVgokhxUdi7e4gvQ4dLWgV2n71P6Sqkpr7JwZST/vy4DYWLyZQusCb1ChxpfIRQb I3Vb9np4cJKENL0RYtKGUuAjGJ687YTP4ADPV830IA6NvAlA9Bf4hy/7GNJofq9UGpaWVaco3tt 7fv/Bt2wsov+0CbxCeXJRpOVU6oZ2+ABYjnkYKlNYB3XaVUgVJL7BvTv1iPcECaOqTe0hH0ZymI urzaQ4B5j9EFvMkcAAXbtvuqL0RfFNaU0IHAbGBg5NnPxJ34EVAm6msC9Ws6a2YzFjW63Kybwd7 0vX4LVFd5BFVBk/KbKUdhm/b1b6Kc= X-Received: by 2002:a05:6a00:1c86:b0:824:9f50:83c7 with SMTP id d2e1a72fcca58-83a8ff17470mr7354332b3a.0.1778307169711; Fri, 08 May 2026 23:12:49 -0700 (PDT) Received: from ser8.. ([221.156.231.192]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-839659487afsm13380429b3a.18.2026.05.08.23.12.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 May 2026 23:12:49 -0700 (PDT) From: DaeMyung Kang To: Namjae Jeon , Hyunchul Lee Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, DaeMyung Kang Subject: [PATCH v2 1/3] ntfs: validate MFT attrs_offset against bytes_in_use Date: Sat, 9 May 2026 15:12:35 +0900 Message-ID: <20260509061237.3233714-2-charsyam@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260508153410.2624801-1-charsyam@gmail.com> References: <20260508153410.2624801-1-charsyam@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ntfs_mft_record_check() verifies that attrs_offset is aligned and that the resulting pointer stays within the allocated MFT record buffer, but it does not check that the first attribute header starts within the bytes_in_use area. A malformed record with attrs_offset greater than bytes_in_use can pass this check as long as attrs_offset is still within bytes_allocated. The attribute parser then computes the remaining record space by subtracting the attribute pointer from bytes_in_use. Because that value is unsigned, the subtraction can underflow and allow bytes after bytes_in_use to be interpreted as an attribute. Reject records where attrs_offset is outside bytes_in_use or where the used area does not even contain the four-byte attribute type/AT_END terminator at attrs_offset. A small userspace model with attrs_offset=3D128 and bytes_in_use=3D64 shows the current check accepts the record and the parser space calculation underflows to 0xffffffc0. With this change the same malformed record is rejected before the attribute walker is entered. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: DaeMyung Kang --- fs/ntfs/mft.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/fs/ntfs/mft.c b/fs/ntfs/mft.c index 7d989267a82b..827b99f4597a 100644 --- a/fs/ntfs/mft.c +++ b/fs/ntfs/mft.c @@ -30,6 +30,8 @@ int ntfs_mft_record_check(const struct ntfs_volume *vol, = struct mft_record *m, { struct attr_record *a; struct super_block *sb =3D vol->sb; + u16 attrs_offset; + u32 bytes_in_use; =20 if (!ntfs_is_file_record(m->magic)) { ntfs_error(sb, "Record %llu has no FILE magic (0x%x)\n", @@ -65,7 +67,16 @@ int ntfs_mft_record_check(const struct ntfs_volume *vol,= struct mft_record *m, goto err_out; } =20 - a =3D (struct attr_record *)((char *)m + le16_to_cpu(m->attrs_offset)); + attrs_offset =3D le16_to_cpu(m->attrs_offset); + bytes_in_use =3D le32_to_cpu(m->bytes_in_use); + + if (attrs_offset > bytes_in_use || + bytes_in_use - attrs_offset < sizeof_field(struct attr_record, type))= { + ntfs_error(sb, "Record %llu has corrupt attribute offset\n", mft_no); + goto err_out; + } + + a =3D (struct attr_record *)((char *)m + attrs_offset); if ((char *)a < (char *)m || (char *)a > (char *)m + vol->mft_record_size= ) { ntfs_error(sb, "Record %llu is corrupt\n", mft_no); goto err_out; --=20 2.43.0 From nobody Sat Jun 13 07:47:12 2026 Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 063343FE344 for ; Fri, 8 May 2026 15:34:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778254463; cv=none; b=S3QRSW4Xw1PjW1cuMlGKQlWVon0q+xPrUBnFnY8TnAVuYSxYsuh+SaV2WHiHAjG9/xNVl5NPOGyxoghdj7a3Q6orE+a0V0L3iHVzOBCqDZaBlfi1Mph9OqbmGpIHvVof+WJb2DS7eT0XkXXWF3tZttBH8nkbhisLVSIn4DbIZ4U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778254463; c=relaxed/simple; bh=p6tnX/4l5ZUM9aHwboY5tRoceNKto1CtwEkFY8BpzLk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=K8sKYKcHFwxpfh+tdvaSN+NrrfEuUE7SVot3L3n+DiKQEsQ/df5nQ/YHGYOtnaatntHXHCTx4ChRPZg+cd9K5D5rR9d1wWmGH8hjGmr9DJqtirWHvhQZ7D0RWH75/oBnxHZ5bwLqTWBbCWhYK/iRkTSzepEN62n3WXF6hZ6M/iA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=f1wCqMeZ; arc=none smtp.client-ip=209.85.214.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="f1wCqMeZ" Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-2ba7b208cd6so1450805ad.1 for ; Fri, 08 May 2026 08:34:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778254461; x=1778859261; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=An7yGTSxNUsE+yXCnDDGVLb/TeITDH3yvYUefWFxgYA=; b=f1wCqMeZkzwmFwJf5Qj/JGUsbjmeeIBy2cBxTIGyjryoMRjqONn1A6xHOg/XtwnRzQ fbQ/m9guDGqyXqA5PQRIxpCkDo4APZByxMuukSHg7i3YR50OKXBYnMvW4n1OGlyiyEhW g4yx1SrP+8A5Xa1RcE8tB5F1vPtud/Js7xLG1iNZo67NZCD9FdwJfi7rosbQ40SIL4dn IyLh26FmoFHe6Rii/19VSUpPhovvczaVUpRJKqBw0rq6l8wU/TJPu5s4teQ5MP2GCEmJ /o2RAuCeggufC9cbiD+MFusjpiCSo4DWwsvRNOSSmbIz9uA4lRkwPKdxbZ38Ah8GvrHO kk9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778254461; x=1778859261; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=An7yGTSxNUsE+yXCnDDGVLb/TeITDH3yvYUefWFxgYA=; b=mEi4QapaTLSRSid3XXUL7zXB5PW3pjB4WjoUjr8LBGDXj1pBp3SUp6V1yqRiaq2XtE dVZrh5yRV4tnatGf/jTLCbjw34HgBfJcv5XbOvM4QpgJ9r1pVgpo7y3vyhCamJ6FfBss NRhUi9nA43I5OezvGE6Nb9opQL9+QIalMvZiahq96mPnhXC2lhrD9nwN8JEw4pdlmPL+ x1lFxBhiER9DkLjn3PZEJX7B/YPS8ZpQx8coEwN5J7TAt9WeC16p5OxBsARcP7blNWYJ I1nidz8hpz2zezKfdB1qHqWRxaJ6RqJSo5/ZFzor8A7opUTD4NxdwUTrJkj8u8J2ubdn 3dhg== X-Forwarded-Encrypted: i=1; AFNElJ+7f7R6sqF+ine2DQsf2dinPWnWsNxbzZMiKKF8DesXAEUuD3wmKTiNytQpI7yWGLr929gsov0n4nKdm1E=@vger.kernel.org X-Gm-Message-State: AOJu0YxD8pPjghV/ETgoEiG0ouYEaOxPtdoWgNbxkQWShzMLvd/rEQ4Y T7hrSJ1QJ0ncAn33EllpgJnHJwEPKqqpF6QA5xw8q2TQjxHIJ66bQwMO X-Gm-Gg: Acq92OFuWUs3dLM0oDVqTAzaxvR3wzK1AAN/4WJaEFYpWAx3mkzbHcTxSEjlk3Pum/d liTm+GT+rjIOpfNKHwTVKj/18TiUFyLOtPso/iisdWTwQvAB3v16gPZ2p3J0KLSaXEJmj/aWQ76 lBjghwf1EiJRs9DFaa+TyNeTpK+7Wpwh6sPSgtGPEJXMih07sV4LYi8vDKgmffijlThsvgb7aaK jIcM9IgCfLw8a+U4ZxceyROldbp/K+apav/mFJZG3efOhu+rKWI9yu1PHdRRRfijaQfbpa6jTIw J0mVLEVHGPZdKhl1ce6t8pj5REtSr9wGPN6Oj+6Ad3DVwUhfuAofWQPnKUus/C8sGv0CZRXZn3N KQz7vtjC0qXFXoAGqmRg9scLfe/08LcFTtaus0VwDlDXBtfmPRk8ca5i/dtOx+WZtlNYmFuXr8l 9EMhFyWURbr9FO8bb8DLytK8DmZZk= X-Received: by 2002:a17:902:cf42:b0:2b0:7041:63fc with SMTP id d9443c01a7336-2ba7b47f7dcmr67159095ad.7.1778254460994; Fri, 08 May 2026 08:34:20 -0700 (PDT) Received: from ser8.. ([221.156.231.192]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2baf1d4094fsm26666365ad.19.2026.05.08.08.34.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 May 2026 08:34:20 -0700 (PDT) From: DaeMyung Kang To: Namjae Jeon Cc: Hyunchul Lee , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/3] ntfs: validate MFT attrs_offset against bytes_in_use Date: Sat, 9 May 2026 00:34:08 +0900 Message-ID: <20260508153410.2624801-2-charsyam@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260508153410.2624801-1-charsyam@gmail.com> References: <20260508153410.2624801-1-charsyam@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ntfs_mft_record_check() verifies that attrs_offset is aligned and that the resulting pointer stays within the allocated MFT record buffer, but it does not check that the first attribute header starts within the bytes_in_use area. A malformed record with attrs_offset greater than bytes_in_use can pass this check as long as attrs_offset is still within bytes_allocated. The attribute parser then computes the remaining record space by subtracting the attribute pointer from bytes_in_use. Because that value is unsigned, the subtraction can underflow and allow bytes after bytes_in_use to be interpreted as an attribute. Reject records where attrs_offset is outside bytes_in_use or where the used area does not even contain the four-byte attribute type/AT_END terminator at attrs_offset. A small userspace model with attrs_offset=3D128 and bytes_in_use=3D64 shows the current check accepts the record and the parser space calculation underflows to 0xffffffc0. With this change the same malformed record is rejected before the attribute walker is entered. Fixes: d3ad708fecaa ("ntfs: Initial commit") Signed-off-by: DaeMyung Kang --- fs/ntfs/mft.c | 14 ++++++++++++-- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/fs/ntfs/mft.c b/fs/ntfs/mft.c index c04462fe049e..70c1aa76181b 100644 --- a/fs/ntfs/mft.c +++ b/fs/ntfs/mft.c @@ -30,6 +30,8 @@ int ntfs_mft_record_check(const struct ntfs_volume *vol, = struct mft_record *m, { struct attr_record *a; struct super_block *sb =3D vol->sb; + u16 attrs_offset; + u32 bytes_in_use; if (!ntfs_is_file_record(m->magic)) { ntfs_error(sb, "Record %llu has no FILE magic (0x%x)\n", @@ -65,7 +67,17 @@ int ntfs_mft_record_check(const struct ntfs_volume *vol,= struct mft_record *m, goto err_out; } - a =3D (struct attr_record *)((char *)m + le16_to_cpu(m->attrs_offset)); + attrs_offset =3D le16_to_cpu(m->attrs_offset); + bytes_in_use =3D le32_to_cpu(m->bytes_in_use); + + if (attrs_offset > bytes_in_use || + bytes_in_use - attrs_offset < sizeof_field(struct attr_record, type))= { + ntfs_error(sb, "Record %llu has corrupt attribute offset\n", + mft_no); + goto err_out; + } + + a =3D (struct attr_record *)((char *)m + attrs_offset); if ((char *)a < (char *)m || (char *)a > (char *)m + vol->mft_record_size= ) { ntfs_error(sb, "Record %llu is corrupt\n", mft_no); goto err_out; -- 2.34.1 From nobody Sat Jun 13 07:47:12 2026 Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C16AE37C91F for ; Sat, 9 May 2026 06:12:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778307173; cv=none; b=Wu0zPIBIBx/daFu4c4Dtgmcg/H62ZFFntg2fILQectvyBws1oOknJtbF7J/E/7Dz7QYrYLtbrjiHvO0QCseDm4+af/Qb06BwNSRFQVpGvFGw50fHEnJo0cDIHHCPbeJaQFA5CJwuZmbE+wDeCn+2ufV/dyHzC1SkeRdPBkzKG08= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778307173; c=relaxed/simple; bh=PC48TOzHQt37hxOiP5Otjl5IcN76jFKPVasccqNSwhI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ECUDRYklBMm5hTzNhJjj43MWIoIosHmRvN+nr16WMwGJ/MTHtRkMrcUrIW7irg1vsECjVK17MrBPS8qpQG10k79n8N+zvERP/l9pROP3TtYD1nBiPmEbAMXiMN/fpF+8VGdOrhdWtR2mlbTTN64h2xKxG9/WWOHeivkpyFUUQFM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lFef0OA9; arc=none smtp.client-ip=209.85.210.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lFef0OA9" Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-83dc08db8e0so72630b3a.3 for ; Fri, 08 May 2026 23:12:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778307172; x=1778911972; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=frhKSscvsRYHqC+0u0Rin3XoCzEpPDvCVExPTGXmYG8=; b=lFef0OA9Ccp+7j7EgLp5O99GuVymhqRrAK72fmjD38o3GXdYQIEeMoa27cmaBURHev emdJ/h6vEa17TnJc7epO8kib8/0IogbY4xU6regim3c1uTa3PDPpnwD+w5uZe/q/2z+v kTVDDN9zqueyGnrItjCHMslw4aC4oDd+TNPV/uUi515cHtE81GkDvCFsoW+ko+ixkU2B OeKLLLE6BEWMy1iMMbh2O9e2T73hllKVmbPxbKcEPRFabJo08Ke5SFe1NKZE03hBWGVN MMcKUEMwm9tgHZpcfNPJUjglfoXAwPIs7mXSqum17C9OWVpTdCFQY/tV62okhyjhrpG4 BRog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778307172; x=1778911972; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=frhKSscvsRYHqC+0u0Rin3XoCzEpPDvCVExPTGXmYG8=; b=KxIwfIb72/2B9bibKEJcs2UHSBsetabOpNMzU2RxN1GoEhk/lMnPTPR3QZ000xTFWJ F7XvnJFpmB7KuqJXnDNGUJL7ALslteprHi7wJZDiwTDjifj2La/YZCks1tEf4sk01hyX ROQZCCOQOuPBvvxzf1az4WHAESEOtM43tKGHA+PyvSaq2MiBM7o0CFsd29o6RC4NmJT6 d3nHafdn9/JzlOLuIyHSvT1PNh0Rx/VdPYlTxywYFfqe4hFgX5dZww7WuIVEhQgBuUqK gCqyTF/aNRq3r5gOHVYQSUH/MzRg8VGUOZyO+N40f7XZw9uHq3t09k0l7XrMtYNOvECi B7YA== X-Forwarded-Encrypted: i=1; AFNElJ9bI6EgvxZdoKD5+uFSvBhij0dt1n5jRL9xOjeFZsYeRfiz7wbeoxoFpVzYQZ43TFEqKRkMVNYZ05x34aI=@vger.kernel.org X-Gm-Message-State: AOJu0YxNqvM/tttFIgALRCN/fuLMA7t/VegMYFraOR2nCQlf4DQ690ac wbekPOFfiaMSvitzzV+ExNgPVAzHaADPjFlp82DnuktrPnPtz4GoKYRF X-Gm-Gg: AeBDievUBpIWEqW5UV7f1blV0CNN/cx05yvuyVxRlCYdRjXair6spEGVZYIan7xsz51 azOWfHov/8CRbT2nE5edjanVo9jCUyut89l5zmkOkDvFvPmqh0ScTpxO1oYUZ3I25R6Bmvz7iXS 8HdBkIYqqOmZc+cvlzUv7TDIZo2dw1UC8vqaXB6ds8/Z17z90u+ZFm1wm5pWyD2mTmUI3Xy+IWj v0DhMb30EqnG/u4mH/GfnzGzhYYUetaNTQCzgTx44EYidpgXdK0ZKWLbcMrpSLbyRGjhGmJLg4U Rlswmq//xwb1zwAajKRemErNu7/ad7QMpMQS6s4/xMB9iXuHv0ygAuCz8D5gVJXeXcxyls/0LQA NND1Vl+xyID3pIQgVffbgTW53MNk05JVL1w/OMgoirFY8tcAx+JHn4sKAWr9+ytDg0/hXsk1ymw 6sz/KG+ijSgwDqqCSt X-Received: by 2002:a05:6a00:3c8a:b0:835:3730:5731 with SMTP id d2e1a72fcca58-83a5b5bebb0mr9438002b3a.2.1778307172051; Fri, 08 May 2026 23:12:52 -0700 (PDT) Received: from ser8.. ([221.156.231.192]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-839659487afsm13380429b3a.18.2026.05.08.23.12.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 May 2026 23:12:51 -0700 (PDT) From: DaeMyung Kang To: Namjae Jeon , Hyunchul Lee Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, DaeMyung Kang Subject: [PATCH v2 2/3] ntfs: fix MFT bitmap scan 2^32 boundary check Date: Sat, 9 May 2026 15:12:36 +0900 Message-ID: <20260509061237.3233714-3-charsyam@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260508153410.2624801-1-charsyam@gmail.com> References: <20260508153410.2624801-1-charsyam@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" NTFS MFT record numbers are limited to the 32-bit range, and ntfs_mft_record_layout() rejects mft_no >=3D 2^32. The free-MFT-record bitmap scan in ntfs_mft_bitmap_find_and_alloc_free_rec_nolock() also guards against this overflow but uses a strict greater than comparison, allowing record number 2^32 itself through this earlier check. Every other 2^32 boundary check in fs/ntfs/mft.c uses '>=3D', so the strict greater than here is both a real off-by-one and an internal inconsistency. A model with ll =3D=3D 2^32 confirms the current check accepts the value while the corrected check rejects it. Use '>=3D' so the boundary matches the layout-time rejection and the surrounding bitmap-scan checks. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: DaeMyung Kang --- fs/ntfs/mft.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ntfs/mft.c b/fs/ntfs/mft.c index 827b99f4597a..b056c9bbdf5f 100644 --- a/fs/ntfs/mft.c +++ b/fs/ntfs/mft.c @@ -1045,7 +1045,7 @@ static s64 ntfs_mft_bitmap_find_and_alloc_free_rec_no= lock(struct ntfs_volume *vo b =3D ffz((unsigned long)*byte); if (b < 8 && b >=3D (bit & 7)) { ll =3D data_pos + (bit & ~7ull) + b; - if (unlikely(ll > (1ll << 32))) { + if (unlikely(ll >=3D (1ll << 32))) { folio_unlock(folio); kunmap_local(buf); folio_put(folio); --=20 2.43.0 From nobody Sat Jun 13 07:47:12 2026 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3C3A5406287 for ; Fri, 8 May 2026 15:34:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778254465; cv=none; b=rZTber4fITIWzztyK9l4dABRj3/k0ID+q8Fwxx17hw3RANFLDF/gxMa+Y9AIDmEPIbI0+1TpnjCvNLuSvpGsyl2ApFn44OEYPavLfUEvnbcXzj4YgVrT2L/IWATvGzxCXT+k9ElWAN9NH3yp2E42AjZHybE3xwMin7db44sLkD4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778254465; c=relaxed/simple; bh=X5irLmEg3FC1ByiJtD3Pn+cYS+C0zl1YcFztWaTN51I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=RUiIqbI0A3FdS3rh4sCeQ+YIcVyBtUdz6QfYLGhk5LedAnWxBJNa5JL/QslNwy566ejEJx/wHSZ3OnF5mFcHPqnC+8VO1GZKLSmJDyyONWkthG3/GVyqEVM3WiBzQGbnR7PJVJ7xUg5mJaO4mOsg426qPUYd97GgkvMDoFSFJWM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hTAfK9qi; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hTAfK9qi" Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2ba5c126afaso2365615ad.3 for ; Fri, 08 May 2026 08:34:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778254464; x=1778859264; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cgRGSq5ggnVuTI7qHhDapadJXv16hq/gjrg/fvfy45w=; b=hTAfK9qi7RqC9LMk9nZm4lHpls9XBRnrZSmNzbEjnCEKbCuyTB6Vj2mO93OJJbOPKO 3GqPYhuKYcKdsxiN9zJTStd3ra/bjDFJUhGKsEjhC0gqpOEODZRPPR21jPSpj2Kqdknc yV4SM4C9jGcUo6pyM/hz3d/3i4+b7eAxuICi9XHpVkPaC6UJzEOOykQr52qNOjnVhE2v F7Hqq5KitP/6i3U5ztKnRKKSsm7DrMl02VlUJvZ3apLE7kEjD+xh4jeGZul7X8QPG0Jf SMMhn0GzYn+JWxLr9j3OEazWSdRRJ+tgiA5qSUK4boYUwwjjt4e+HQrfaQ/E2Cf00vy5 rPtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778254464; x=1778859264; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=cgRGSq5ggnVuTI7qHhDapadJXv16hq/gjrg/fvfy45w=; b=bj4fbYlezdBdzHl+2/xOr+l1ohi/mGnS4gVrOipm/KBOe4wMxPrZsZnZ19KTwmUGET V8joLjxoaq4PleZbzrKUf6gz84EcaekRzPRGkPKeu/62kj1vU7QjuITBeB+art7ZKfOu SH/mej9tn422FNaY65WXrXsfbHOcabRuvV7l0QoD0jBJG/NLGUHkgylFTNt4sHIS68RZ ZYCraeQJGJKa0k1MuZeYH1QSsQ3HD3j34UWmiJU0NnW7lHQsxzOFe7jwT+Jezr/0rR3a u7Lemw19RhaRPt/5xO6ts+9N+35yHxneZAXsoRxkQpEVMSAr1tcrdCjmnVQ6JdAHljWR bLUw== X-Forwarded-Encrypted: i=1; AFNElJ/+ky4LXHfuRd3i6yHXKwtULYMQ9lEGu5ylj7PfGEugOqIUDVXI/D+yTYNvqfGAFfQS68Fj43hGAAjm/v4=@vger.kernel.org X-Gm-Message-State: AOJu0Yy0Q3hG5l/SQYUT9xbiTo4MLzwq8NC0hTnV6CJhlJjc++IQwLPI d7BZytExkrpcwdPJxIfMEto1SJ7JpBRrMVNLRxmJjtDpKJGdYhq0hD5j X-Gm-Gg: Acq92OGqGf42iFybkj6bE3cFxvyBiZjK4bM7o+2u2pZMimqSDA+/bF7fXbPCJUn4qY5 DiOn6kJNHEJqpfdRU7qL3kjPTDBrmOC8YlIW+Ov4Bq07mcCELx2NDYrTeMW+nDJrq2/7Y+2BBFJ JjqT2r5Ef7ZEjFrbZ0+nIIJ0QefqtjnUUSVkCpWYxDUfyJb0mIx1yvy1pph4h4GqO5oeelErwK1 +5dKDhckC+xghWomfelvImLkp5cCjC1fodgyyuB3EB9mhI5bX7yu92LnYg4MnE6cPh74Cg46wwt bSm6DmysTLFKTIDDT8j1rfV8n5ZCkkhsmF7ffC/9cNZYEPRSzneNn2l/Sl2CII4yLRjvEXha2NM JBv0j/vzl41tZwaH43IRPAPWjb3KZgqAC+fSsaH5avF7AzRQQRSlbhHUQWOvpv5UkIHBWlDxhRL ZKvFrRwVmOX8tG1ZRRoW/1EcyimC0= X-Received: by 2002:a17:903:3c2c:b0:2ae:7edc:9234 with SMTP id d9443c01a7336-2ba7ec651f3mr66040085ad.1.1778254463628; Fri, 08 May 2026 08:34:23 -0700 (PDT) Received: from ser8.. ([221.156.231.192]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2baf1d4094fsm26666365ad.19.2026.05.08.08.34.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 May 2026 08:34:23 -0700 (PDT) From: DaeMyung Kang To: Namjae Jeon Cc: Hyunchul Lee , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 2/3] ntfs: fix MFT bitmap scan 2^32 boundary check Date: Sat, 9 May 2026 00:34:09 +0900 Message-ID: <20260508153410.2624801-3-charsyam@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260508153410.2624801-1-charsyam@gmail.com> References: <20260508153410.2624801-1-charsyam@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" NTFS MFT record numbers are limited to the 32-bit range, and ntfs_mft_record_layout() rejects mft_no >=3D 2^32. The free-MFT-record bitmap scan in ntfs_mft_bitmap_find_and_alloc_free_rec_nolock() also guards against this overflow but uses a strict greater than comparison, allowing record number 2^32 itself through this earlier check. Every other 2^32 boundary check in fs/ntfs/mft.c uses '>=3D', so the strict greater than here is both a real off-by-one and an internal inconsistency. A model with ll =3D=3D 2^32 confirms the current check accepts the value while the corrected check rejects it. Use '>=3D' so the boundary matches the layout-time rejection and the surrounding bitmap-scan checks. Fixes: d3ad708fecaa ("ntfs: Initial commit") Signed-off-by: DaeMyung Kang --- fs/ntfs/mft.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ntfs/mft.c b/fs/ntfs/mft.c index 70c1aa76181b..f8f2e481c5dc 100644 --- a/fs/ntfs/mft.c +++ b/fs/ntfs/mft.c @@ -1279,7 +1279,7 @@ static s64 ntfs_mft_bitmap_find_and_alloc_free_rec_no= lock(struct ntfs_volume *vo b =3D ffz((unsigned long)*byte); if (b < 8 && b >=3D (bit & 7)) { ll =3D data_pos + (bit & ~7ull) + b; - if (unlikely(ll > (1ll << 32))) { + if (unlikely(ll >=3D (1ll << 32))) { #if LINUX_VERSION_CODE >=3D KERNEL_VERSION(6, 6, 0) folio_unlock(folio); kunmap_local(buf); -- 2.34.1 From nobody Sat Jun 13 07:47:12 2026 Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 97C2038239B for ; Sat, 9 May 2026 06:12:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778307176; cv=none; b=sXOL1IXw/Y74EOGl6jcQLRJv9VhE38Bll4x5XPYtd7MVVuT9s6JxmRjk7FcEIMrqu6ONE2SHM4C3IdiOdeXVQjHpaCIQnS0WDZGdMm0or3vNK2aLdyOcoPTjGUWKQ1V3vcwtOGL098Qct8tmNVxAy2Bki0/KR9sf1aJZn78PqrM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778307176; c=relaxed/simple; bh=0iDZOjepnYHKbwUNptbhXbh2gt66eTQ2spfZriwBAiU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=f6Vz5dLplIoplKlBQ/uYUWDjbd5sz5aE5OYo8mV+UftfmRz29cWryduGH7/QgyyKJ2CnTRYKYy9b48TPuO6Dx08mn6lxin5OOruk8yxz5Bkv8kNqVpLRzgP0qnV3pbOUrXNg2j1XFSrVNva5cfZiSEE+z0qGfoMe2pV8mKcGdec= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=f5xz103r; arc=none smtp.client-ip=209.85.214.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="f5xz103r" Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-2ae3a007bd1so3929575ad.2 for ; Fri, 08 May 2026 23:12:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778307175; x=1778911975; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=DFcSdFJcr0n6ORD4bjAB2j+Li1vLVOxo6IRxDvRQ+ZE=; b=f5xz103rkTMajunazNWYd48UvvJR6qjefoD7Z64k5lSdGgwiGyicnItwgMU6dvXCnd YAlDaEh5GoJozdDwpN0XrcOeXNXZy5CdbKV5VUvI8vo18N1lqNuxHzBBqxeGCue1hDvM K4C50pGZJvrFo40euOkKwA+R4sIe04krWRrqb9hpapfdhQM66RrYCP1l6eutaaqtSGow 5BzdXrF1gDkI+Fw3kiVmzYemTeU4kbEr58zVbSt46pyBsjBkPRguQNDZ4GbhwTDHF25w PtywGr3knIC10WaRYV08TpXclyXkD5O8LRgAsoTs24nTaXa8ULlp6tBjEj7KG7jZo6bi wVww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778307175; x=1778911975; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=DFcSdFJcr0n6ORD4bjAB2j+Li1vLVOxo6IRxDvRQ+ZE=; b=iumLqCmH7YF4vHWp2IP1IqcFUuZjozgPFGqVMwEI4Sx41b/1s4KQ8YgQJRILfNt30S znjNxjIdtq90/xPiW5lvFPhxxCM42DZad/gY93P7EJtK83TZr8w7cdqKqDdlMtBq+7GI ySMvtkieGwoFsa/1V+DtptbkqQA8FVPTXd4eR6Y9J1BG0rXrTE6zQZIZCstgaUi3abT8 tJNlyG+biaEwnellwDWJU8f725WBDqbhSbatijybEF+/01vn3juflsMrVBjdOPQp+Gio 6HkGw3leGxm7cw6i2KHspU0DwzPyY8sp1ZMHyN9xehQwanPDSuo9mDZUhWzf1wI8GHhA Sjwg== X-Forwarded-Encrypted: i=1; AFNElJ9CJzyN1NfwcQooUuBRkwmEHkwlS8s3Zaqia92l0dY5Q8N/W2LUpZIx8crgaDXLX25zHqh8nT0E9JfCBwo=@vger.kernel.org X-Gm-Message-State: AOJu0Yz7N8vf/8tYPWwh/JNNM13nX/Ib3OADT/DC3konrTErhezhlfvI 7R86a59tNrFoY99S21GaVNdaXu64nds7mAUJACVcK9Z9aB71pwvddfnp1L/XJw== X-Gm-Gg: Acq92OE3nlrMErK287WZk3OY1TOZ27eGX4/sK9XDo8xfg2qHvoc7DkUfSDeK3HX8icD Zrv/PuNQAvCxY5sQnRIHONnhdOAa5wh7E8UQRZ5LH0w0PzCT6Z4HD1qzWKy1SAKRDF2x93STsp0 LKkATr1H2Alvw+yis5U/klwHIK8nF3YY74lnRGBbwi4LupgJ7V6rZtDtgF9tRPYREn1NENdUDPz s7aE4G/OKzQfkVDxV60TXQ0dVQ3nNdXXVWzATTxkDC2MrtbqaVonUZJPUNj+vsRmmwlRT7UPSiW 3FbgRoMetNtkIt6qKf6w92D86JUZOaKQlfqnLNnNYzYX7huEtLXENVWzqu3uB7CktAuCwXMQWMd opovyNDzM6M2TbtM6c006m+hn6O5eBrb2VyNA0uKEjXECO04QAVGPjPA/Q43BV77SDrjffDQxCv dcqAH+dVyIjW6O+Fyi6pxytrVtJpI= X-Received: by 2002:a05:6a20:160f:b0:3a1:6a7c:dba5 with SMTP id adf61e73a8af0-3aa5aa8a08bmr8415806637.6.1778307174930; Fri, 08 May 2026 23:12:54 -0700 (PDT) Received: from ser8.. ([221.156.231.192]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-839659487afsm13380429b3a.18.2026.05.08.23.12.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 May 2026 23:12:54 -0700 (PDT) From: DaeMyung Kang To: Namjae Jeon , Hyunchul Lee Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, DaeMyung Kang Subject: [PATCH v2 3/3] ntfs: validate attribute name bounds before returning it Date: Sat, 9 May 2026 15:12:37 +0900 Message-ID: <20260509061237.3233714-4-charsyam@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260508153410.2624801-1-charsyam@gmail.com> References: <20260508153410.2624801-1-charsyam@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ntfs_attr_find() validates a named attribute before comparing it with the requested name, but that check is currently after the AT_UNUSED handling. When callers enumerate attributes with AT_UNUSED, ntfs_attr_find() can return a malformed named attribute before checking whether name_offset and name_length stay within the attribute record. Some enumeration callers use the returned attribute name pointer directly. For example, one path passes (attr + name_offset, name_length) to ntfs_attr_iget(), where the name can later be copied according to name_length. A malformed on-disk name_offset/name_length pair should not be exposed to those callers. Move the existing name bounds validation before returning attributes during AT_UNUSED enumeration, and write it as an offset/remaining-size check so the subtraction cannot underflow. Extract the converted values into local variables (name_offset, attr_len, name_size) to make the intent explicit and avoid repeating the endian conversions inside the bounds check. This keeps matching attributes on the same checked path while also covering attribute enumeration. A small userspace ASAN model with attr length=3D32, name_offset=3D124 and name_length=3D8 reproduces a heap-buffer-overflow read in the old enumeration path. With this change the same malformed attribute is rejected before the name pointer is returned to the caller. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: DaeMyung Kang --- fs/ntfs/attrib.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c index 97b660eaa00c..1a0e1f9e0853 100644 --- a/fs/ntfs/attrib.c +++ b/fs/ntfs/attrib.c @@ -672,6 +672,9 @@ static int ntfs_attr_find(const __le32 type, const __le= 16 *name, __le16 *upcase =3D vol->upcase; u32 upcase_len =3D vol->upcase_len; unsigned int space; + u16 name_offset; + u32 attr_len; + u32 name_size; =20 /* * Iterate over attributes in mft record starting at @ctx->attr, or the @@ -699,6 +702,20 @@ static int ntfs_attr_find(const __le32 type, const __l= e16 *name, return -ENOENT; if (unlikely(!a->length)) break; + if (a->name_length) { + name_offset =3D le16_to_cpu(a->name_offset); + attr_len =3D le32_to_cpu(a->length); + name_size =3D a->name_length * sizeof(__le16); + + if (name_offset > attr_len || + attr_len - name_offset < name_size) { + ntfs_error(vol->sb, + "Corrupt attribute name in MFT record %llu\n", + ctx->ntfs_ino->mft_no); + break; + } + } + if (type =3D=3D AT_UNUSED) return 0; if (a->type !=3D type) @@ -712,14 +729,6 @@ static int ntfs_attr_find(const __le32 type, const __l= e16 *name, if (a->name_length) return -ENOENT; } else { - if (a->name_length && ((le16_to_cpu(a->name_offset) + - a->name_length * sizeof(__le16)) > - le32_to_cpu(a->length))) { - ntfs_error(vol->sb, "Corrupt attribute name in MFT record %llu\n", - ctx->ntfs_ino->mft_no); - break; - } - if (!ntfs_are_names_equal(name, name_len, (__le16 *)((u8 *)a + le16_to_cpu(a->name_offset)), a->name_length, ic, upcase, upcase_len)) { --=20 2.43.0 From nobody Sat Jun 13 07:47:12 2026 Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AAC5840148A for ; Fri, 8 May 2026 15:34:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778254467; cv=none; b=kOcVEpGlsL6PeA5/Ip/2WZ+b9b3/ASAaK1SLJOrX56S+MXUGiAElC9gmCpubf8U2oyIUD21WEaQvy5Ur7IQ77d1NjRfvg0Ol2vw7TeAjEov1nPDn6LGyMT60yefQnD5Y7bxK7TNw1X23loFzQM5ognyIDPkdg2rnK9U6VM5FV5g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778254467; c=relaxed/simple; bh=EnMncloGY38zNHH2IlD/jQ3ejkAbYcKTAZzgUACfn+I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qFXe9UXKzFYKkGW9Qq2v9e+P+mFiPbJ6ZSLYNLE897Y1ZFWPpq3nk62bt3X/KPogAHT/hPstWDS0pjx/SJpHluV44gMr4q1amHqQMhXi6kH0Xa4LVcgMllYgFpXv+Uy3fUTNKOb3o+AQq5yFbmnZykc/7uZUtQqz8IuFR19fL+8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CdMQ7ayH; arc=none smtp.client-ip=209.85.214.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CdMQ7ayH" Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-2ad2b375e58so1272125ad.3 for ; Fri, 08 May 2026 08:34:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778254466; x=1778859266; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=qq6X5xns9piV5RmWtTQbxwisodvE8nTQSWemS5y31r0=; b=CdMQ7ayHMTnQAmUROqKyBPffUNrNgKSvBnqLAyqa4jIarxFUGCa/pLMYnIB2MnJ71w Gkf1DQxysROzzMIT/uOvCVsrTLvUPNG5OcljeHVIjJx3QL1Y9YUA6YyZiPLM8yfAd2Oh Y0nRYz4ul/OxMTRfyEICzGt56SkZJz0VPa+Bs69LGEfugyzIUHkbFBPVh+NIcKCPioEs dH7sZNcFtLNQ3c17dTjlLU1We6qTSTcgyM9Jj0FUgsIx7A6A9GGLLgyWB6aHUfJdohKh 0QtDMR271Mu7Qo/0Iay2fYwewwJo/lxDTZ5thqA78/O7ac5X1GcaWzPfQmLyqOF+S5Uq sDMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778254466; x=1778859266; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=qq6X5xns9piV5RmWtTQbxwisodvE8nTQSWemS5y31r0=; b=Frk8gOGfwXCfut5Msb9+bMvyv456nDvCMx7/qZWt0urydrcAccXU9wnzuSdy2tqMr+ iNkjqveokSvd/SOAeLERMvbnvBsKgy9KgBdcAIoKoB7VTe9BOcNCumo7pP+TGLSWqz11 tVyPtHLbpfx72K5lPhsSnDHJw/ZOY32Rtym16yRRj+YmV6dH/dJaT+Hpq2IjCp7a/AOb MjyZ0/88UjV4qT7n48VuWWltjlDD/C8qz79KhqOBTh81Tga7V8fWEQg+QS6CpJqHxM49 iw2lERvsbJOwiprICrDvsHbbsLIewuYKFTQGQQXpwwmmXh6Z5MbEjFoRsqtWtuaF5i2E wp2A== X-Forwarded-Encrypted: i=1; AFNElJ8scHMJhU0bN7cg2DYzBa4x0BGWZthjoSMZ6PHoeT/XGGKy6DdB4VMjI7ygK4nGt/lr9kA+5HHpWz06mP4=@vger.kernel.org X-Gm-Message-State: AOJu0YxLImkGc7NgbNCnAI1FUZRW+AzCIe1ZH/qWZIqdUPZNQW+jZMAG es8+dOw6kEgG72x4ZW8QaMA8t2Kq5vw5SY818kZ+HScrfPleDcemDpBn X-Gm-Gg: Acq92OEoUpc8h273+8Qutii1hLsEleEbIMRv9nRTru5cFtfdB+Rc1kKgVxElgM0u1DN xwHblOQwA5HgUgQPRQe8uEkj8fHRWQXck60gPDTm/gsWbz/k+evQA92Ia2kLgpzlvBimyqs2Pht I3bSwOD5ZmrSFkaoLTCirYRC52F4joQOeqyYRrFLt4HACNOI/Kojrog651sevo+D+rXqAx9aosK 42FDokyEELGFZGLlWZJoqUSiSNfwxiPW7vKiYbjb0v+k51f4wmxcjqz8us3NLzY4D5/Mpe5Sp5g 7rzcxukpxdwr6D1KIWkrksoSRPhSNHW/NzMOn9oNFM4+cVfYL45y10R+4x3Dz3vMaRoPJB7CuuT 8cV3v4vlmV2OP5Ajm0lYuw9R5oL3z5mny+BgMASyHXUETU8E5TIUu8lCQlyH6Z5O3FhkJZldOYD UZLZfYsIIsC0xb3h612pKENBVy8Rk= X-Received: by 2002:a17:903:1a2f:b0:2b9:42a3:6013 with SMTP id d9443c01a7336-2ba7afccfa5mr67838505ad.1.1778254465930; Fri, 08 May 2026 08:34:25 -0700 (PDT) Received: from ser8.. ([221.156.231.192]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2baf1d4094fsm26666365ad.19.2026.05.08.08.34.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 May 2026 08:34:25 -0700 (PDT) From: DaeMyung Kang To: Namjae Jeon Cc: Hyunchul Lee , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 3/3] ntfs: validate attribute name bounds before returning it Date: Sat, 9 May 2026 00:34:10 +0900 Message-ID: <20260508153410.2624801-4-charsyam@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260508153410.2624801-1-charsyam@gmail.com> References: <20260508153410.2624801-1-charsyam@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ntfs_attr_find() validates a named attribute before comparing it with the requested name, but that check is currently after the AT_UNUSED handling. When callers enumerate attributes with AT_UNUSED, ntfs_attr_find() can return a malformed named attribute before checking whether name_offset and name_length stay within the attribute record. Some enumeration callers use the returned attribute name pointer directly. For example, one path passes (attr + name_offset, name_length) to ntfs_attr_iget(), where the name can later be copied according to name_length. A malformed on-disk name_offset/name_length pair should not be exposed to those callers. Move the existing name bounds validation before returning attributes during AT_UNUSED enumeration, and write it as an offset/remaining-size check so the subtraction cannot underflow. Extract the converted values into local variables (name_offset, attr_len, name_size) to make the intent explicit and avoid repeating the endian conversions inside the bounds check. This keeps matching attributes on the same checked path while also covering attribute enumeration. A small userspace ASAN model with attr length=3D32, name_offset=3D124 and name_length=3D8 reproduces a heap-buffer-overflow read in the old enumeration path. With this change the same malformed attribute is rejected before the name pointer is returned to the caller. Fixes: d3ad708fecaa ("ntfs: Initial commit") Signed-off-by: DaeMyung Kang --- fs/ntfs/attrib.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c index 330127975b26..f51917b4a494 100644 --- a/fs/ntfs/attrib.c +++ b/fs/ntfs/attrib.c @@ -675,6 +675,9 @@ static int ntfs_attr_find(const __le32 type, const __le= 16 *name, __le16 *upcase =3D vol->upcase; u32 upcase_len =3D vol->upcase_len; unsigned int space; + u16 name_offset; + u32 attr_len; + u32 name_size; /* * Iterate over attributes in mft record starting at @ctx->attr, or the @@ -702,6 +705,20 @@ static int ntfs_attr_find(const __le32 type, const __l= e16 *name, return -ENOENT; if (unlikely(!a->length)) break; + if (a->name_length) { + name_offset =3D le16_to_cpu(a->name_offset); + attr_len =3D le32_to_cpu(a->length); + name_size =3D a->name_length * sizeof(__le16); + + if (name_offset > attr_len || + attr_len - name_offset < name_size) { + ntfs_error(vol->sb, + "Corrupt attribute name in MFT record %llu\n", + ctx->ntfs_ino->mft_no); + break; + } + } + if (type =3D=3D AT_UNUSED) return 0; if (a->type !=3D type) @@ -715,14 +732,6 @@ static int ntfs_attr_find(const __le32 type, const __l= e16 *name, if (a->name_length) return -ENOENT; } else { - if (a->name_length && ((le16_to_cpu(a->name_offset) + - a->name_length * sizeof(__le16)) > - le32_to_cpu(a->length))) { - ntfs_error(vol->sb, "Corrupt attribute name in MFT record %llu\n", - ctx->ntfs_ino->mft_no); - break; - } - if (!ntfs_are_names_equal(name, name_len, (__le16 *)((u8 *)a + le16_to_cpu(a->name_offset)), a->name_length, ic, upcase, upcase_len)) { -- 2.34.1