From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 063343FE344 for ; Fri, 8 May 2026 15:34:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.175 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778254463; cv=none; b=S3QRSW4Xw1PjW1cuMlGKQlWVon0q+xPrUBnFnY8TnAVuYSxYsuh+SaV2WHiHAjG9/xNVl5NPOGyxoghdj7a3Q6orE+a0V0L3iHVzOBCqDZaBlfi1Mph9OqbmGpIHvVof+WJb2DS7eT0XkXXWF3tZttBH8nkbhisLVSIn4DbIZ4U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778254463; c=relaxed/simple; bh=p6tnX/4l5ZUM9aHwboY5tRoceNKto1CtwEkFY8BpzLk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=K8sKYKcHFwxpfh+tdvaSN+NrrfEuUE7SVot3L3n+DiKQEsQ/df5nQ/YHGYOtnaatntHXHCTx4ChRPZg+cd9K5D5rR9d1wWmGH8hjGmr9DJqtirWHvhQZ7D0RWH75/oBnxHZ5bwLqTWBbCWhYK/iRkTSzepEN62n3WXF6hZ6M/iA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=f1wCqMeZ; arc=none smtp.client-ip=209.85.214.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="f1wCqMeZ" Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-2ba7b208cd6so1450805ad.1 for ; Fri, 08 May 2026 08:34:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778254461; x=1778859261; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=An7yGTSxNUsE+yXCnDDGVLb/TeITDH3yvYUefWFxgYA=; b=f1wCqMeZkzwmFwJf5Qj/JGUsbjmeeIBy2cBxTIGyjryoMRjqONn1A6xHOg/XtwnRzQ fbQ/m9guDGqyXqA5PQRIxpCkDo4APZByxMuukSHg7i3YR50OKXBYnMvW4n1OGlyiyEhW g4yx1SrP+8A5Xa1RcE8tB5F1vPtud/Js7xLG1iNZo67NZCD9FdwJfi7rosbQ40SIL4dn IyLh26FmoFHe6Rii/19VSUpPhovvczaVUpRJKqBw0rq6l8wU/TJPu5s4teQ5MP2GCEmJ /o2RAuCeggufC9cbiD+MFusjpiCSo4DWwsvRNOSSmbIz9uA4lRkwPKdxbZ38Ah8GvrHO kk9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778254461; x=1778859261; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=An7yGTSxNUsE+yXCnDDGVLb/TeITDH3yvYUefWFxgYA=; b=mEi4QapaTLSRSid3XXUL7zXB5PW3pjB4WjoUjr8LBGDXj1pBp3SUp6V1yqRiaq2XtE dVZrh5yRV4tnatGf/jTLCbjw34HgBfJcv5XbOvM4QpgJ9r1pVgpo7y3vyhCamJ6FfBss NRhUi9nA43I5OezvGE6Nb9opQL9+QIalMvZiahq96mPnhXC2lhrD9nwN8JEw4pdlmPL+ x1lFxBhiER9DkLjn3PZEJX7B/YPS8ZpQx8coEwN5J7TAt9WeC16p5OxBsARcP7blNWYJ I1nidz8hpz2zezKfdB1qHqWRxaJ6RqJSo5/ZFzor8A7opUTD4NxdwUTrJkj8u8J2ubdn 3dhg== X-Forwarded-Encrypted: i=1; AFNElJ+7f7R6sqF+ine2DQsf2dinPWnWsNxbzZMiKKF8DesXAEUuD3wmKTiNytQpI7yWGLr929gsov0n4nKdm1E=@vger.kernel.org X-Gm-Message-State: AOJu0YxD8pPjghV/ETgoEiG0ouYEaOxPtdoWgNbxkQWShzMLvd/rEQ4Y T7hrSJ1QJ0ncAn33EllpgJnHJwEPKqqpF6QA5xw8q2TQjxHIJ66bQwMO X-Gm-Gg: Acq92OFuWUs3dLM0oDVqTAzaxvR3wzK1AAN/4WJaEFYpWAx3mkzbHcTxSEjlk3Pum/d liTm+GT+rjIOpfNKHwTVKj/18TiUFyLOtPso/iisdWTwQvAB3v16gPZ2p3J0KLSaXEJmj/aWQ76 lBjghwf1EiJRs9DFaa+TyNeTpK+7Wpwh6sPSgtGPEJXMih07sV4LYi8vDKgmffijlThsvgb7aaK jIcM9IgCfLw8a+U4ZxceyROldbp/K+apav/mFJZG3efOhu+rKWI9yu1PHdRRRfijaQfbpa6jTIw J0mVLEVHGPZdKhl1ce6t8pj5REtSr9wGPN6Oj+6Ad3DVwUhfuAofWQPnKUus/C8sGv0CZRXZn3N KQz7vtjC0qXFXoAGqmRg9scLfe/08LcFTtaus0VwDlDXBtfmPRk8ca5i/dtOx+WZtlNYmFuXr8l 9EMhFyWURbr9FO8bb8DLytK8DmZZk= X-Received: by 2002:a17:902:cf42:b0:2b0:7041:63fc with SMTP id d9443c01a7336-2ba7b47f7dcmr67159095ad.7.1778254460994; Fri, 08 May 2026 08:34:20 -0700 (PDT) Received: from ser8.. ([221.156.231.192]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2baf1d4094fsm26666365ad.19.2026.05.08.08.34.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 May 2026 08:34:20 -0700 (PDT) From: DaeMyung Kang To: Namjae Jeon Cc: Hyunchul Lee , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/3] ntfs: validate MFT attrs_offset against bytes_in_use Date: Sat, 9 May 2026 00:34:08 +0900 Message-ID: <20260508153410.2624801-2-charsyam@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260508153410.2624801-1-charsyam@gmail.com> References: <20260508153410.2624801-1-charsyam@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit ntfs_mft_record_check() verifies that attrs_offset is aligned and that the resulting pointer stays within the allocated MFT record buffer, but it does not check that the first attribute header starts within the bytes_in_use area. A malformed record with attrs_offset greater than bytes_in_use can pass this check as long as attrs_offset is still within bytes_allocated. The attribute parser then computes the remaining record space by subtracting the attribute pointer from bytes_in_use. Because that value is unsigned, the subtraction can underflow and allow bytes after bytes_in_use to be interpreted as an attribute. Reject records where attrs_offset is outside bytes_in_use or where the used area does not even contain the four-byte attribute type/AT_END terminator at attrs_offset. A small userspace model with attrs_offset=128 and bytes_in_use=64 shows the current check accepts the record and the parser space calculation underflows to 0xffffffc0. With this change the same malformed record is rejected before the attribute walker is entered. Fixes: d3ad708fecaa ("ntfs: Initial commit") Signed-off-by: DaeMyung Kang --- fs/ntfs/mft.c | 14 ++++++++++++-- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/fs/ntfs/mft.c b/fs/ntfs/mft.c index c04462fe049e..70c1aa76181b 100644 --- a/fs/ntfs/mft.c +++ b/fs/ntfs/mft.c @@ -30,6 +30,8 @@ int ntfs_mft_record_check(const struct ntfs_volume *vol, struct mft_record *m, { struct attr_record *a; struct super_block *sb = vol->sb; + u16 attrs_offset; + u32 bytes_in_use; if (!ntfs_is_file_record(m->magic)) { ntfs_error(sb, "Record %llu has no FILE magic (0x%x)\n", @@ -65,7 +67,17 @@ int ntfs_mft_record_check(const struct ntfs_volume *vol, struct mft_record *m, goto err_out; } - a = (struct attr_record *)((char *)m + le16_to_cpu(m->attrs_offset)); + attrs_offset = le16_to_cpu(m->attrs_offset); + bytes_in_use = le32_to_cpu(m->bytes_in_use); + + if (attrs_offset > bytes_in_use || + bytes_in_use - attrs_offset < sizeof_field(struct attr_record, type)) { + ntfs_error(sb, "Record %llu has corrupt attribute offset\n", + mft_no); + goto err_out; + } + + a = (struct attr_record *)((char *)m + attrs_offset); if ((char *)a < (char *)m || (char *)a > (char *)m + vol->mft_record_size) { ntfs_error(sb, "Record %llu is corrupt\n", mft_no); goto err_out; -- 2.34.1