From nobody Mon Jun 8 08:28:17 2026 Received: from mail-vs1-f50.google.com (mail-vs1-f50.google.com [209.85.217.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 21D6F373BF4 for ; Wed, 3 Jun 2026 17:41:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.217.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780508476; cv=none; b=JSrvL0eNBehVLZ90XbeLAClT5m/TnTGx1N3ESGRz5L6kkGYWXcCOs3YVTdMBJJxjAyc2wCXY8Sk4cKHyK0p99xYU6LjZfcQsTznKYmUS9zNCzHSO2KsCHp7w9CTZ1IAlYPD0/sy3w+Nb/lm6wkBU0/AgrlWjjJ9jiy8fWL+GGis= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780508476; c=relaxed/simple; bh=JVGYcqebgbCuB0pc6BGHwgjfVl8P9S+X9NEwlre1qsE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ftflYj+I3JN8UTFA6+8rJ1N1mM31D87cOZXaxV2mdlSVMQSe50Ev7uHocpw78lCO36K7Y4n30U0wbj+/dRlJruCV2LDIuc6Iex7naldIR03TM3fWOMAbDVA1rI0rUgznW7C/Zx/v2yshi9+dUNVd5z9XsB7GDgFaEQQx9wuLu6U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=trailofbits.com; spf=pass smtp.mailfrom=trailofbits.com; dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com header.b=e8VxB9f6; arc=none smtp.client-ip=209.85.217.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=trailofbits.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=trailofbits.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com header.b="e8VxB9f6" Received: by mail-vs1-f50.google.com with SMTP id ada2fe7eead31-6cb414a5d50so3580788137.3 for ; Wed, 03 Jun 2026 10:41:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trailofbits.com; s=google; t=1780508474; x=1781113274; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=8XK9xInquW7IMwPEjdHbMk+r0s9l32zp7Hy3Ogn3fj0=; b=e8VxB9f6np9rNrPL6KasUANYlIiisMKQt2PHcOpMd9BGNLjtdjx3YC5MphM8UvDEMO lygsEvrOYeLbcpVBK7v4bGyDaS7AE/KQtzSzqELJ7Sln54QDkQGtv08UPSVA6OjgEF7B Z10+HNkSoGww1VBqYY4p/W+JjUSAoawNtFxUASamEK8+FNpb508kOhyXHvgQe1G72U3c aNY/I/TaFEW2vK8g9v5Ll+9xE5/G+hSOL9C3DX9i+aUMl4u0U4Wy+f22VTjqVS3ZHtwO ykNNbxOzwDKVQOQ7Q+ftPI8ZGUi90RKFvYKjYjVWfAsc2yJwL9e4cNZ+n+aXLmorzLrm /AKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780508474; x=1781113274; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=8XK9xInquW7IMwPEjdHbMk+r0s9l32zp7Hy3Ogn3fj0=; b=RjOn2W4L8odeAya+VkRphs2owRw5fh2LJ43oSrVRLUjQR1J1m3Vg2zT5zs0C2dQ/Eu JwNG9xYDRbQ0TM9edO8GRHvtB0BMbQPlIjYkJ0/33e0H0n8mtrlorBOMiEVQVcpAZhk3 bdMwO9FR2CnLQpvrZB62DenmXbYWnr1PZGVKpoDRhsP3ukX0L+tDkEoduIv1UOsCf0W5 W5EXBJX+GzLHXvkSoFJJdHTo2TSDY0csuY3KYESxaM1Cdk1A8TLDYCDPTon29FiNw04e IX7akU41mnNvTGxGD+1vLureAZ4DekJivCnPxhMaIDmEJBIbu4KNrSFNO2QjTktbswW/ 4nfw== X-Forwarded-Encrypted: i=1; AFNElJ+080siNsddURZWwBDVvqZMZWuoFNIjNG62WOW6HwwVvGp5Z8c3nTTMrWA4jXFQ16gi238FOvQni78DDeQ=@vger.kernel.org X-Gm-Message-State: AOJu0YwohwKuxYof1TaRBZRWHCOeGVV3SEHgoaKY7BhR/aOt/ZLemv6q ll74LnGHwHddHUAbUCY9ZLYsdDP6ly9CC/74IaAO4KPGlF+l60r309RmOnleIKIQtvY= X-Gm-Gg: Acq92OH+t4Nco1+P3scOXodmF/3mUR9VBqM0qN09NoNFocQf4h1ixTMuajbUVSTRQ0v yP77JQj3Y3+1RwXwnJBhPc2CZcMtZ/tNYv4kiZ4m3Fq/IjwK8CMcj+1FMnq7Gzm2s8oSVnCX2OB rBK0JbVnQL85mpEb01kWJ2Pz54yvr07s+NbBj2sV39x9HyIn4mjOTdSincAEmtkEoLB2b5FS+q2 b5LBH9LV5FQJg0WY4Wrbb8M0/YBYKbDLe2dBoe1LqFI3uGujqTBpJNdt0/t0v4wNxpwMwJnNKsQ ea+RTMLPa873ND14nWWY4/i7r2DaXuANx98u9B9IIL21JG9xbdKSFD8OHBMly9SZ6POF5KlSA0d v4+a763VEsbewgKYJxgaW42Zns9/7kIHbFQAFEF7EYnhDJROvzPmvdNAPgYBOaATTvr143i6LRt pVwCnb5niFFDKwzKR/GmK85udpnQ5kwWhGYSy8/g== X-Received: by 2002:a05:6102:14a3:b0:6ce:7e04:ddae with SMTP id ada2fe7eead31-6ec458ffdc0mr2950326137.18.1780508474136; Wed, 03 Jun 2026 10:41:14 -0700 (PDT) Received: from localhost ([161.35.96.86]) by smtp.gmail.com with UTF8SMTPSA id 6a1803df08f44-8cecd06d600sm26376476d6.35.2026.06.03.10.41.13 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 03 Jun 2026 10:41:13 -0700 (PDT) From: Samuel Moelius To: Namjae Jeon Cc: Samuel Moelius , Hyunchul Lee , linux-fsdevel@vger.kernel.org (open list:NTFS FILESYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] ntfs: detect mapping-pairs LCN accumulator overflow Date: Wed, 3 Jun 2026 17:41:09 +0000 Message-ID: <20260603174109.24493-1-sam.moelius@trailofbits.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The NTFS mapping-pairs parser accumulates relative LCN deltas in a signed integer. A corrupted attribute can drive that addition past the representable range. One corrupt runlist shape sets the accumulated LCN to S64_MAX and then adds a delta of 1 in the next mapping-pairs entry. Signed overflow is undefined and can turn an invalid runlist into a different set of physical clusters. Check the LCN addition for overflow before storing the next run. Assisted-by: Codex:gpt-5.5-cyber-preview Signed-off-by: Samuel Moelius --- fs/ntfs/runlist.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/ntfs/runlist.c b/fs/ntfs/runlist.c index e7de3d01257e..e9294a5f4cbf 100644 --- a/fs/ntfs/runlist.c +++ b/fs/ntfs/runlist.c @@ -860,7 +860,11 @@ struct runlist_element *ntfs_mapping_pairs_decompress(= const struct ntfs_volume * for (deltaxcn =3D (s8)buf[b--]; b > b2; b--) deltaxcn =3D (deltaxcn << 8) + buf[b]; /* Change the current lcn to its new value. */ - lcn +=3D deltaxcn; + if (unlikely(check_add_overflow(lcn, deltaxcn, &lcn))) { + ntfs_error(vol->sb, + "LCN overflow in mapping pairs array."); + goto err_out; + } #ifdef DEBUG /* * On NTFS 1.2-, apparently can have lcn =3D=3D -1 to --=20 2.43.0