From: rtm@csail.mit.edu
To: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Cc: ntfs3@lists.linux.dev
Subject: buffer overflow in ntfs3's log_replay()
Date: Sun, 25 Jan 2026 17:14:32 -0500 [thread overview]
Message-ID: <42774.1769379272@localhost> (raw)
Below is a demo in which a corrupt NTFS image mounted r/w with ntfs3
causes log_replay() to allocate 112 bytes for ra at line 4029:
ra = kzalloc(log->restart_size, GFP_NOFS);
but then copies 96 bytes to ra at offset 64 at line 4041:
memcpy(ra->clients, Add2Ptr(ra2, t16),
le16_to_cpu(ra2->ra_len) - t16);
log->restart_size is 112, ra2->ra_len is 112, and t16 (really
ra2->client_off) is 16.
To reproduce:
# uname -a
Linux ubuntu66 6.19.0-rc6-00447-g4dc00a84391e #39 SMP PREEMPT_DYNAMIC Sun Jan 25 16:32:13 EST 2026 x86_64 x86_64 x86_64 GNU/Linux
# wget http://www.rtmrtm.org/rtm/ntfs30a.img.gz
# gunzip ntfs30a.img.gz
# mount -t ntfs3 -o loop,rw ntfs30a.img /mnt
[Right Redzone overwritten] 0xffff8881097bd600-0xffff8881097bd607 @offset=5632. First byte 0xff instead of 0xcc
=============================================================================
BUG kmalloc-128 (Not tainted): Object corrupt
-----------------------------------------------------------------------------
Allocated in 0xffffffffffffffff age=0 cpu=4294967295 pid=1330
Freed in free_rb_tree_fname+0x42/0x70 age=20073 cpu=1 pid=413
Slab 0xffffea000425ef00 objects=21 used=15 fp=0xffff8881097bda00 flags=0x200000000000240(workingset|head|node=0|zone=2)
Object 0xffff8881097bd580 @offset=5504 fp=0xffffffffffffffff
Redzone ffff8881097bd500: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff8881097bd510: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff8881097bd520: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff8881097bd530: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff8881097bd540: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff8881097bd550: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff8881097bd560: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff8881097bd570: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Object ffff8881097bd580: 7f 08 00 e0 ff ff ff ff 01 00 ff ff 00 00 ff ff ................
Object ffff8881097bd590: 43 00 00 00 a0 00 40 00 00 00 00 00 00 00 00 00 C.....@.........
Object ffff8881097bd5a0: ff ff ff ff f8 ff f8 ff 42 ad 60 44 ff ff ff ff ........B.`D....
Object ffff8881097bd5b0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Object ffff8881097bd5c0: 43 00 00 00 70 00 10 00 00 00 00 00 00 00 00 00 C...p...........
Object ffff8881097bd5d0: ff ff ff ff f8 ff f8 ff ff ff ff ff ff ff ff ff ................
Object ffff8881097bd5e0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Object ffff8881097bd5f0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Redzone ffff8881097bd600: ff ff ff ff ff ff ff ff ........
Padding ffff8881097bd654: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding ffff8881097bd664: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding ffff8881097bd674: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ
Robert Morris
rtm@mit.edu
next reply other threads:[~2026-01-25 22:40 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-25 22:14 rtm [this message]
2026-02-09 9:44 ` buffer overflow in ntfs3's log_replay() Konstantin Komarov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42774.1769379272@localhost \
--to=rtm@csail.mit.edu \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=ntfs3@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.