From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6645B382F2C
	for <linux-kernel@vger.kernel.org>; Sat,  9 May 2026 06:12:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.174
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778307171; cv=none; b=NG0Wzp0ulR2zMr2I/j6+bKGDcXGbUgJGU9ekbQJ8DiQbWQd2t3KvERR+Dd6aZRDrn99damLQWeUDQwqbxIsb/+0NZoQoJRh2KedyMuZfSofNnp/U4TwavM2fc4UBIeKmdeQbM6Tz95v1BiItsMXjZBI8bJehZ6PofD/S0YEa0hE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778307171; c=relaxed/simple;
	bh=x3U0+ik7ABX/ipLSzhLPhRGDfe/68tRYRIvR0CNMyFk=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=nAWRtjYjgAa5SK3SyMLyk447/LuvTiE/wgfwdDVLEttgfRtzWNb6vyYVVDEPu5gGi3E/Ep3oH5LkKxzzwTdigSyJQt/rN/8yspakeO39Xotw2qkCmWzRWZxZmcxtGoOu9+IpFKfDLxac2EhnA9Bpiwh0y2dvXauyZp2FilE8T+0=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=P+f/AuHW; arc=none smtp.client-ip=209.85.215.174
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="P+f/AuHW"
Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-c70e3eb3af1so103826a12.2
        for <linux-kernel@vger.kernel.org>; Fri, 08 May 2026 23:12:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778307170; x=1778911970; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=znfabyFueBNEPqXXyOxpAPqjsy9bDnSpb0+GPews0kY=;
        b=P+f/AuHWaV4ZexxEQY2RRFRGTVJQVZfjn1pQ5S8d3MPW8y+t0/rDum/Bk/x+b1lkxb
         5VV5Kn4qugZS2B2ygvsQXD+dHPMB5z0K0sPHNouHA+TaUVv0MI71CJSPxi/8fq8CwuOt
         hV1kdk6eeaokwGFrXC3FeZLXdJMdpiuZEKnWdbZbZnKtczeZ9YrgOKiMBt9dQW28khcg
         A44P/v/gzqVLuY3OBOHt9O5l91zIFs7NcfTIY0gdZOmXWjYwT99InG0xieb5KzWQmbYe
         oAIfVDQzd4oozzhGTJUXPy/Q8c1nuXFeggmVGFNtHp4N9VcyQw3TNaZBfLdbsRNGOMUV
         Ss7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778307170; x=1778911970;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=znfabyFueBNEPqXXyOxpAPqjsy9bDnSpb0+GPews0kY=;
        b=rt/MWvIMVl1xap1WFOUExYqO+t7s3SsxJE7b1d9dlB0Qptu2AdMKZF/qi0FQY7Sh5W
         mYvfLlI+aBZRPX6zxUHQOiWjHjQLbjMarT01asVhdmOyW9Mu0n8SKniBUO8LEffMsafN
         VLrNbLymQJKNMCPLeHPx9rmw+4U7hNO0jEp+vHb/AEe+wMiV3PejCMhvC8qlL80knKvC
         /ff6488yAJkTq8AflMws8fgvAvXu5xjAoUQiA8sPDgs71HV/EW9DcChA2tcrbiEEvlU/
         5JkyhVc8YEtelUpE+glOcS3jeew42921WmkRixPgzG6kQydKtrGlpBmu1TE0Hzshmg9d
         xVJg==
X-Forwarded-Encrypted: i=1; AFNElJ9TM6dz+Y49Ha8Lm10Ad3JcJDeRRdoj5hlvxOSFLhqhw1ipoeaWFnT9ac5JcQAYDWfD1J+KKEkm+S10/zM=@vger.kernel.org
X-Gm-Message-State: AOJu0YzNXJhY29lCVHfPGYG4tJzodQblA01koFPiVzI5yOYSBekIP7nx
	pgn8TDFL1HAwLg1gO1w6rg2OEyQWGEYmloaIFiqSmKAy7kqB/hlpJlWY
X-Gm-Gg: Acq92OH9pjMcODlE9eZLqInnp2mzjx36GGRHfx77hZLWp19DoyDrRXbgre42zlBct5X
	2xppmNBOJ1FPvzXqk1C6gFKPPy3mJBmCjA6oqKdc5dJzpZF05JH2mLLlQ0HpsqlvniqL0zrilcC
	MUdgizn90yIEVgokhxUdi7e4gvQ4dLWgV2n71P6Sqkpr7JwZST/vy4DYWLyZQusCb1ChxpfIRQb
	I3Vb9np4cJKENL0RYtKGUuAjGJ687YTP4ADPV830IA6NvAlA9Bf4hy/7GNJofq9UGpaWVaco3tt
	7fv/Bt2wsov+0CbxCeXJRpOVU6oZ2+ABYjnkYKlNYB3XaVUgVJL7BvTv1iPcECaOqTe0hH0ZymI
	urzaQ4B5j9EFvMkcAAXbtvuqL0RfFNaU0IHAbGBg5NnPxJ34EVAm6msC9Ws6a2YzFjW63Kybwd7
	0vX4LVFd5BFVBk/KbKUdhm/b1b6Kc=
X-Received: by 2002:a05:6a00:1c86:b0:824:9f50:83c7 with SMTP id d2e1a72fcca58-83a8ff17470mr7354332b3a.0.1778307169711;
        Fri, 08 May 2026 23:12:49 -0700 (PDT)
Received: from ser8.. ([221.156.231.192])
        by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-839659487afsm13380429b3a.18.2026.05.08.23.12.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 08 May 2026 23:12:49 -0700 (PDT)
From: DaeMyung Kang <charsyam@gmail.com>
To: Namjae Jeon <linkinjeon@kernel.org>,
	Hyunchul Lee <hyc.lee@gmail.com>
Cc: linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	DaeMyung Kang <charsyam@gmail.com>
Subject: [PATCH v2 1/3] ntfs: validate MFT attrs_offset against bytes_in_use
Date: Sat,  9 May 2026 15:12:35 +0900
Message-ID: <20260509061237.3233714-2-charsyam@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260508153410.2624801-1-charsyam@gmail.com>
References: <20260508153410.2624801-1-charsyam@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

ntfs_mft_record_check() verifies that attrs_offset is aligned and that
the resulting pointer stays within the allocated MFT record buffer, but
it does not check that the first attribute header starts within the
bytes_in_use area.

A malformed record with attrs_offset greater than bytes_in_use can pass
this check as long as attrs_offset is still within bytes_allocated.  The
attribute parser then computes the remaining record space by subtracting
the attribute pointer from bytes_in_use.  Because that value is unsigned,
the subtraction can underflow and allow bytes after bytes_in_use to be
interpreted as an attribute.

Reject records where attrs_offset is outside bytes_in_use or where the
used area does not even contain the four-byte attribute type/AT_END
terminator at attrs_offset.

A small userspace model with attrs_offset=128 and bytes_in_use=64 shows
the current check accepts the record and the parser space calculation
underflows to 0xffffffc0.  With this change the same malformed record is
rejected before the attribute walker is entered.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
---
 fs/ntfs/mft.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/fs/ntfs/mft.c b/fs/ntfs/mft.c
index 7d989267a82b..827b99f4597a 100644
--- a/fs/ntfs/mft.c
+++ b/fs/ntfs/mft.c
@@ -30,6 +30,8 @@ int ntfs_mft_record_check(const struct ntfs_volume *vol, struct mft_record *m,
 {
 	struct attr_record *a;
 	struct super_block *sb = vol->sb;
+	u16 attrs_offset;
+	u32 bytes_in_use;
 
 	if (!ntfs_is_file_record(m->magic)) {
 		ntfs_error(sb, "Record %llu has no FILE magic (0x%x)\n",
@@ -65,7 +67,16 @@ int ntfs_mft_record_check(const struct ntfs_volume *vol, struct mft_record *m,
 		goto err_out;
 	}
 
-	a = (struct attr_record *)((char *)m + le16_to_cpu(m->attrs_offset));
+	attrs_offset = le16_to_cpu(m->attrs_offset);
+	bytes_in_use = le32_to_cpu(m->bytes_in_use);
+
+	if (attrs_offset > bytes_in_use ||
+	    bytes_in_use - attrs_offset < sizeof_field(struct attr_record, type)) {
+		ntfs_error(sb, "Record %llu has corrupt attribute offset\n", mft_no);
+		goto err_out;
+	}
+
+	a = (struct attr_record *)((char *)m + attrs_offset);
 	if ((char *)a < (char *)m || (char *)a > (char *)m + vol->mft_record_size) {
 		ntfs_error(sb, "Record %llu is corrupt\n", mft_no);
 		goto err_out;
-- 
2.43.0