[PATCH v2 1/3] ntfs: validate MFT attrs_offset against bytes_in_use

The Linux Kernel Mailing List
 help / color / mirror / Atom feed

From: DaeMyung Kang <charsyam@gmail.com>
To: Namjae Jeon <linkinjeon@kernel.org>, Hyunchul Lee <hyc.lee@gmail.com>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	DaeMyung Kang <charsyam@gmail.com>
Subject: [PATCH v2 1/3] ntfs: validate MFT attrs_offset against bytes_in_use
Date: Sat,  9 May 2026 15:12:35 +0900	[thread overview]
Message-ID: <20260509061237.3233714-2-charsyam@gmail.com> (raw)
In-Reply-To: <20260508153410.2624801-1-charsyam@gmail.com>

ntfs_mft_record_check() verifies that attrs_offset is aligned and that
the resulting pointer stays within the allocated MFT record buffer, but
it does not check that the first attribute header starts within the
bytes_in_use area.

A malformed record with attrs_offset greater than bytes_in_use can pass
this check as long as attrs_offset is still within bytes_allocated.  The
attribute parser then computes the remaining record space by subtracting
the attribute pointer from bytes_in_use.  Because that value is unsigned,
the subtraction can underflow and allow bytes after bytes_in_use to be
interpreted as an attribute.

Reject records where attrs_offset is outside bytes_in_use or where the
used area does not even contain the four-byte attribute type/AT_END
terminator at attrs_offset.

A small userspace model with attrs_offset=128 and bytes_in_use=64 shows
the current check accepts the record and the parser space calculation
underflows to 0xffffffc0.  With this change the same malformed record is
rejected before the attribute walker is entered.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
---
 fs/ntfs/mft.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/fs/ntfs/mft.c b/fs/ntfs/mft.c
index 7d989267a82b..827b99f4597a 100644
--- a/fs/ntfs/mft.c
+++ b/fs/ntfs/mft.c
@@ -30,6 +30,8 @@ int ntfs_mft_record_check(const struct ntfs_volume *vol, struct mft_record *m,
 {
 	struct attr_record *a;
 	struct super_block *sb = vol->sb;
+	u16 attrs_offset;
+	u32 bytes_in_use;

 	if (!ntfs_is_file_record(m->magic)) {
 		ntfs_error(sb, "Record %llu has no FILE magic (0x%x)\n",
@@ -65,7 +67,16 @@ int ntfs_mft_record_check(const struct ntfs_volume *vol, struct mft_record *m,
 		goto err_out;
 	}

-	a = (struct attr_record *)((char *)m + le16_to_cpu(m->attrs_offset));
+	attrs_offset = le16_to_cpu(m->attrs_offset);
+	bytes_in_use = le32_to_cpu(m->bytes_in_use);
+
+	if (attrs_offset > bytes_in_use ||
+	    bytes_in_use - attrs_offset < sizeof_field(struct attr_record, type)) {
+		ntfs_error(sb, "Record %llu has corrupt attribute offset\n", mft_no);
+		goto err_out;
+	}
+
+	a = (struct attr_record *)((char *)m + attrs_offset);
 	if ((char *)a < (char *)m || (char *)a > (char *)m + vol->mft_record_size) {
 		ntfs_error(sb, "Record %llu is corrupt\n", mft_no);
 		goto err_out;
-- 
2.43.0

next prev parent reply	other threads:[~2026-05-09  6:12 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-08 15:34 [PATCH 0/3] ntfs: harden MFT record and attribute parsing DaeMyung Kang
2026-05-08 15:34 ` [PATCH 1/3] ntfs: validate MFT attrs_offset against bytes_in_use DaeMyung Kang
2026-05-08 15:34 ` [PATCH 2/3] ntfs: fix MFT bitmap scan 2^32 boundary check DaeMyung Kang
2026-05-09  4:03   ` Namjae Jeon
2026-05-09  6:14     ` CharSyam
2026-05-08 15:34 ` [PATCH 3/3] ntfs: validate attribute name bounds before returning it DaeMyung Kang
2026-05-09  6:12 ` [PATCH v2 0/3] ntfs: harden MFT record and attribute parsing DaeMyung Kang
2026-05-09 15:44   ` Namjae Jeon
2026-05-09  6:12 ` DaeMyung Kang [this message]
2026-05-09  6:12 ` [PATCH v2 2/3] ntfs: fix MFT bitmap scan 2^32 boundary check DaeMyung Kang
2026-05-09  6:12 ` [PATCH v2 3/3] ntfs: validate attribute name bounds before returning it DaeMyung Kang

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7d989267a82 dfblob:827b99f4597 )
 OR (
bs:"[PATCH v2 1/3] ntfs: validate MFT attrs_offset against bytes_in_use" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260509061237.3233714-2-charsyam@gmail.com \
    --to=charsyam@gmail.com \
    --cc=hyc.lee@gmail.com \
    --cc=linkinjeon@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox