From: syzbot <syzbot+39b2fb0f2638669008ec@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: Re: [syzbot] KASAN: slab-out-of-bounds in decompress_lznt
Date: Fri, 17 Apr 2026 09:20:46 -0700 [thread overview]
Message-ID: <69e25dde.a00a0220.1bd0ca.0009.GAE@google.com> (raw)
In-Reply-To: <00000000000077d29606186c5e99@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [syzbot] KASAN: slab-out-of-bounds in decompress_lznt
Author: tristmd@gmail.com
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>From 6cfb2c5508cbe3c057fc4fe83808ef6cf8fc9868 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tristan@talencesecurity.com>
Date: Fri, 17 Apr 2026 16:15:16 +0000
Subject: [PATCH] ntfs3: fix array-index-out-of-bounds in decompress_lznt
decompress_chunk() increments index without checking array bounds,
leading to an out-of-bounds access on s_max_off when processing
corrupted compressed data.
Add an upper bound check on index to prevent the overflow.
Reported-by: syzbot+39b2fb0f2638669008ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=39b2fb0f2638669008ec
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
fs/ntfs3/lznt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ntfs3/lznt.c b/fs/ntfs3/lznt.c
index fdc9b2e..f818d97 100644
--- a/fs/ntfs3/lznt.c
+++ b/fs/ntfs3/lznt.c
@@ -240,7 +240,7 @@ static inline ssize_t decompress_chunk(u8 *unc, u8 *unc_end, const u8 *cmpr,
if (up - unc > LZNT_CHUNK_SIZE)
return -EINVAL;
/* Correct index */
- while (unc + s_max_off[index] < up)
+ while (index < ARRAY_SIZE(s_max_off) - 1 && unc + s_max_off[index] < up)
index += 1;
/* Check the current flag for zero. */
--
2.47.3
prev parent reply other threads:[~2026-04-17 16:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-14 16:19 [syzbot] [ntfs3?] UBSAN: array-index-out-of-bounds in decompress_lznt syzbot
2024-05-15 12:38 ` [PATCH] ntfs3: check if more than chunk-size bytes are written Andrew Ballance
2024-05-15 12:59 ` [syzbot] [ntfs3?] UBSAN: array-index-out-of-bounds in decompress_lznt syzbot
2024-07-01 21:55 ` [syzbot] test syzbot
2024-08-23 16:04 ` [syzbot] UBSAN: array-index-out-of-bounds in decompress_lznt syzbot
2026-04-17 10:12 ` Forwarded: [PATCH] ntfs3: fix " syzbot
2026-04-17 16:20 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69e25dde.a00a0220.1bd0ca.0009.GAE@google.com \
--to=syzbot+39b2fb0f2638669008ec@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.