From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 192592DF128 for ; Sat, 2 May 2026 10:50:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777719032; cv=none; b=SGqktz9ToBCM/mK3bD1w/MYMoLms6O5sp0p+onnWGZ804rXvToTBjfJOaiwxOOk4AwP0f2JD+yWDM0CXP3YVSHabI2FwW2WSD6bpIPckFqlcY4dko6YcBQAuovksC+jijLI9dZ3FpkNI1FsxcszY4438KqmBYguc2K2iLoZlU+Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777719032; c=relaxed/simple; bh=T0LW7yB+RCgEQIoEqn/+YxOuIPaN4zMuZoZmeMEwP4I=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=CyGXVs/fA8SoM9IJs54Hf9q6taX5fSNFKFNQZ3f/Zze1jb1pRkS6Kv0vY5TKBq0LoyT1PELRpqkpvwqxJtoRW3jkhdKjyflNRlbfLudhIU5v60q38vUF0Z8HNfWtadJv4OKyC7WYyVNMNqJUsm393OA4rNXml8tAXdiOTdtHE4g= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=qLTFQYUI; arc=none smtp.client-ip=209.85.216.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="qLTFQYUI" Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-364d13df3ccso367706a91.3 for ; Sat, 02 May 2026 03:50:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777719030; x=1778323830; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ExtEosiCiZz24wtaV6XMqbxMv7x6yLKAIrTwUeohUmY=; b=qLTFQYUILhckXeJPwZQz3bRQZqdrUPr1R7CaQIzkjTVKO5e1t59qNtmxO93CFynsZk BP2uY65hHHK3D0mjg5/JUhYar9ABGc2t4Af7O4Ob0lF3syHLwPRZWclM1XPgEUpuuGHi phXp6P+A1kLNWiz9Z4A0FQlTkgd4uutYL1us+gYMVjZCSX5Iy6u/CvpZb3xWtF9/7lq/ 09/562JFFk6+8DbT2sqgf67BF++6CA88yEyUQeUgb3fluxWk2CGbyt1w6EsjFUt0I3qq 2ibRi67Bjb8Mw+UnlrFkK5CATWeWyMNzcvTsAZjdzMHTdVcHfJmgIpLw0HXksoRcRKTE RoUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777719030; x=1778323830; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ExtEosiCiZz24wtaV6XMqbxMv7x6yLKAIrTwUeohUmY=; b=hU4/WvPjMg8i1gZqoJNU7JqisR0O6cpjWxJDg6mdawvRa3M2EygG9buU+pM0ddA+ym M+hlBh6ufQ/PeUMwFfqIbDZDMO8ljjbaJtkKgz9Kmq13Cggi73WyN5K8E4ZVY1oV/E4G KIeHgfckDqRmXnHTo8HrQXFlzFLyDYJX0KRNzNvzl2AQCQGijjXREyRbdCPeCNvZhyzR ZgCq5TnLp3Njm+hWbDS4a0zgOaq/ZT+I5EwqDMUNBdPsYuVYvCao3+KPKuSHbkPbQQY4 5Cvr4qowGHo+Np/EV1HhHEEcsaOZTMRNNip8KxhPVEqfuyVbkU37fjdo/Ko7Oyg54UJv hBmg== X-Forwarded-Encrypted: i=1; AFNElJ9XE1QIWya3MpaqFAX+GVrXbKyAMeWNbOeP0rVvkxa6rsb6eIpHOAfUJjZphL3S+ILggT/Da7Ullg5vg+s=@vger.kernel.org X-Gm-Message-State: AOJu0Yw2oCxKpPuPeAUFVijZXFhDWvOZ+OBxl8jmkcsPY5OFt4s0kAaQ WUYDX5ZjqJ9kCD7eEdTdToz5cpu4v0GktfgrQOWvXG5b5qGRcoL1Ga/N X-Gm-Gg: AeBDieuM2gZeyjcc/yv6edAMmWLn7UHumCMoLCUFICi0o0lMquExgiKSDYF5Ql07zVq uE42ETqabvf1F3lrepgs3mNY/46YXLUglE/NUQwu4Z9frRF53drcysenhxpiGo+Ck4BqEcypVOH mYfr9kuEsNb/Rjitx+mIVnftg2WJBzJzgKlS5memCIrv0SxLE1E1ajQEZH+CTGavdT7pRnT9PWX ShV5zQkXYA8cCeGpgZC68LTyDfLmwYphgKJY3FPivo1nvr5BzCIt58kBg7lDab+egCu/c07kYQE q9+IZak7OyGJ0c1bzC55KKqDV6q8MNJYY1ym6MiHKCxCo7SiCNwFMEx+MtXNuC03xiQky/3PD70 XNBg3n/1QDVRoqNbCfRL9JxiNpa88lGlSlUv4aY2HUfir8H4+brk51dWXr34fzmOCRzDMDIL5Oo wU0ZJ1IZ2WFesxXykt6ib1LoxwWqb/ X-Received: by 2002:a17:90a:d407:b0:362:be3b:c8d4 with SMTP id 98e67ed59e1d1-3650ce10197mr1415546a91.3.1777719030297; Sat, 02 May 2026 03:50:30 -0700 (PDT) Received: from kali ([103.195.202.195]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c7ffbbbf298sm4482616a12.13.2026.05.02.03.50.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 02 May 2026 03:50:30 -0700 (PDT) From: Pavitra Jha To: almaz.alexandrovich@paragon-software.com Cc: ntfs3@lists.linux.dev, linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org, Pavitra Jha , stable@vger.kernel.org Subject: [PATCH] fs/ntfs3: fix Out-Of-Bounds write in log_replay() via unvalidated data_off Date: Sat, 2 May 2026 06:50:07 -0400 Message-ID: <20260502105008.21827-1-jhapavitra98@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit log_replay() applies UpdateRecordDataRoot and UpdateRecordDataAllocation redo operations using a destination pointer derived from the on-disk field e->view.data_off, which is a 16-bit value read from attacker-controlled filesystem data: memmove(Add2Ptr(e, le16_to_cpu(e->view.data_off)), data, dlen); Neither check_if_index_root() nor check_if_root_index() validate data_off against e->size. A crafted NTFS image can set data_off to 0xFFFF, causing memmove() to write attacker-controlled data out of bounds of the NTFS_DE entry and its backing allocation. The same unvalidated pattern exists in UpdateRecordDataAllocation. ntfs3_bad_de_range() already exists to validate data_off and dlen against e->size. Call it before each memmove(), bailing to dirty_vol on violation. This mirrors the fix applied to DeleteIndexEntryRoot in commit b2bc7c44ed17 ("fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot"). Fixes: b46acd6a6a62 ("fs/ntfs3: Add NTFS journal") Cc: stable@vger.kernel.org Signed-off-by: Pavitra Jha --- fs/ntfs3/fslog.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 272e45276..c0237f7d0 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3487,6 +3487,9 @@ static int do_action(struct ntfs_log *log, struct OPEN_ATTR_ENRTY *oe, e = Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); + if (ntfs3_bad_de_range(e, dlen)) + goto dirty_vol; + memmove(Add2Ptr(e, le16_to_cpu(e->view.data_off)), data, dlen); mi->dirty = true; @@ -3679,6 +3682,9 @@ static int do_action(struct ntfs_log *log, struct OPEN_ATTR_ENRTY *oe, goto dirty_vol; } + if (ntfs3_bad_de_range(e, dlen)) + goto dirty_vol; + memmove(Add2Ptr(e, le16_to_cpu(e->view.data_off)), data, dlen); a_dirty = true; -- 2.53.0