* Re: [PATCH] fs/ntfs3: fix out-of-bounds write in ni_create_attr_list()
[not found] <20260624053008.4885-2-xmei5@asu.edu>
@ 2026-06-26 13:11 ` hewei-gikaku
0 siblings, 0 replies; only message in thread
From: hewei-gikaku @ 2026-06-26 13:11 UTC (permalink / raw)
To: Weiming Shi
Cc: Xiang Mei, Konstantin Komarov, ntfs3, linux-fsdevel, linux-kernel
Hi Weiming, Xiang,
I posted a fix for this exact ni_create_attr_list() out-of-bounds write
two weeks before this patch, to the same list and CC'ing the same
maintainer:
v1 (2026-06-10): https://lore.kernel.org/all/20260610002929.51765-1-skyexpoc@gmail.com/
v2 (2026-06-25): https://lore.kernel.org/all/20260625031932.9412-1-skyexpoc@gmail.com/
Same root cause, same Fixes: tag. The two patches differ in how they fix
it, and the difference matters:
- This patch keeps the fixed al_aligned(record_size) buffer and returns
-EINVAL as soon as an entry would cross the buffer end. Because each
ATTR_LIST_ENTRY (le_size(0) = 0x20) is larger than the minimum resident
attribute it represents (SIZEOF_RESIDENT = 0x18), the list can grow past
a single record_size for a sufficiently full base record, so this can
fail a normal setxattr/file operation with -EINVAL instead of handling
it.
- My v2 computes the exact list size from the attributes first and
allocates accordingly, closing the overflow without introducing that
regression.
Given the earlier posting and that v2 fixes the bug without rejecting
otherwise-valid records, I'd suggest taking v2. I'm happy to rebase it or
adjust to whatever Konstantin prefers.
Thanks,
HE WEI
^ permalink raw reply [flat|nested] only message in thread