From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2DD333E0089; Fri, 15 May 2026 16:02:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778860921; cv=none; b=EFvcQiOPP2yDkj8yFmlbRPpfkVKsgumiDf4lEjwDfdeWpF3dut20u1GWWEkReDCtT6Sw9mrb5WMKlm+mrmTcDqN7zJaiU+pAcGlSAmpnT8v4sWvZtqf8N+8+R7zNzSENLrx6EcdNc6BSDxaRAG+9upKQOGCsJwG1JASa6tGWM+o= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778860921; c=relaxed/simple; bh=gHDPfEqpCX3dhZn5l7pqjluiHXLtxQl1kfxxCPk5GrI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OmSwa5F9IDIQcuhvarPW5ODvHksd2ZBEGRJLoMqtDpIVOXkyYU2osn7jkJ+ciYjYwUhFhBJoTFeWWzUTxv/P3Z2v36sqP/O/lvEpBeJ/grgfbEj1tko+jCQ6hAsanX0Q4eoOVbRxehxXouL+gA5WAF6ywu1cvPnAoiQZ2gbLKDA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=IUTyE3Bk; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="IUTyE3Bk" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B9DA9C2BCB0; Fri, 15 May 2026 16:02:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778860921; bh=gHDPfEqpCX3dhZn5l7pqjluiHXLtxQl1kfxxCPk5GrI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IUTyE3BksVUPupS/xpH+AGBP+Vs7bPYBHDZNNlu3mUkLFzUlmpL9U+2HOlB8P3I8p evrW0eSkDFLaEqNAx6/s0WdFcyOsC6xchsdVzDBYeUztOnP2KWvQr2YAlNYLJu1Cg+ wCiKY+yxsb5z+MqOvd5SL3SWdExW9Fw03mTOK5qM= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Tobias Gaertner , Konstantin Komarov Subject: [PATCH 6.6 130/474] ntfs3: add buffer boundary checks to run_unpack() Date: Fri, 15 May 2026 17:43:59 +0200 Message-ID: <20260515154717.845495189@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260515154715.053014143@linuxfoundation.org> References: <20260515154715.053014143@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tobias Gaertner commit b62567bca47408e6739dee75f02a2113548af875 upstream. run_unpack() checks `run_buf < run_last` at the top of the while loop but then reads size_size and offset_size bytes via run_unpack_s64() without verifying they fit within the remaining buffer. A crafted NTFS image with truncated run data in an MFT attribute triggers an OOB heap read of up to 15 bytes when the filesystem is mounted. Add boundary checks before each run_unpack_s64() call to ensure the declared field size does not exceed the remaining buffer. Found by fuzzing with a source-patched harness (LibAFL + QEMU). Fixes: 82cae269cfa95 ("fs/ntfs3: Add initialization of super block") Cc: stable@vger.kernel.org Signed-off-by: Tobias Gaertner Signed-off-by: Konstantin Komarov Signed-off-by: Greg Kroah-Hartman --- fs/ntfs3/run.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/fs/ntfs3/run.c +++ b/fs/ntfs3/run.c @@ -963,6 +963,9 @@ int run_unpack(struct runs_tree *run, st if (size_size > 8) return -EINVAL; + if (run_buf + size_size > run_last) + return -EINVAL; + len = run_unpack_s64(run_buf, size_size, 0); /* Skip size_size. */ run_buf += size_size; @@ -975,6 +978,9 @@ int run_unpack(struct runs_tree *run, st else if (offset_size <= 8) { s64 dlcn; + if (run_buf + offset_size > run_last) + return -EINVAL; + /* Initial value of dlcn is -1 or 0. */ dlcn = (run_buf[offset_size - 1] & 0x80) ? (s64)-1 : 0; dlcn = run_unpack_s64(run_buf, offset_size, dlcn);