[PATCH] ntfs: fix s64 overflow in ntfs_mapping_pairs_decompress()

[PATCH] ntfs: fix s64 overflow in ntfs_mapping_pairs_decompress()

[Zhan Xusheng]

In ntfs_mapping_pairs_decompress(), deltaxcn is decoded from the
on-disk mapping pairs array and negative values are rejected, but
large positive values up to S64_MAX pass through unchecked.  The
subsequent `vcn += deltaxcn` can then wrap the s64 accumulator to a
negative value, breaking the monotonically-increasing VCN invariant
that ntfs_rl_vcn_to_lcn() and related helpers rely on.

A crafted NTFS image with a single 8-byte run-length of S64_MAX
triggers this when lowest_vcn > 0, leading to incorrect LCN lookups
and potential reads/writes to wrong disk sectors.

Add an overflow check before the addition and treat the on-disk data
as corrupt (-EIO) when the result would exceed S64_MAX.

Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
---
 fs/ntfs/runlist.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/fs/ntfs/runlist.c b/fs/ntfs/runlist.c
index b213b4976d2b..a32affb57d29 100644
--- a/fs/ntfs/runlist.c
+++ b/fs/ntfs/runlist.c
@@ -823,7 +823,16 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
 		 * element.
 		 */
 		rl[rlpos].length = deltaxcn;
-		/* Increment the current vcn by the current run length. */
+		/*
+		 * Increment the current vcn by the current run length.
+		 * Both are non-negative here; guard against s64 overflow
+		 * from a crafted mapping pairs array to preserve the
+		 * monotonically-increasing vcn invariant.
+		 */
+		if (unlikely(deltaxcn > S64_MAX - vcn)) {
+			ntfs_error(vol->sb, "VCN overflow in mapping pairs array.");
+			goto err_out;
+		}
 		vcn += deltaxcn;
 		/*
 		 * There might be no lcn change at all, as is the case for
-- 
2.43.0

Re: [PATCH] ntfs: fix s64 overflow in ntfs_mapping_pairs_decompress()

[Hyunchul Lee]

Hello Zhan,

2026년 4월 22일 (수) 오후 12:08, Zhan Xusheng <zhanxusheng1024@gmail.com>님이 작성:
>
> In ntfs_mapping_pairs_decompress(), deltaxcn is decoded from the
> on-disk mapping pairs array and negative values are rejected, but
> large positive values up to S64_MAX pass through unchecked.  The
> subsequent `vcn += deltaxcn` can then wrap the s64 accumulator to a
> negative value, breaking the monotonically-increasing VCN invariant
> that ntfs_rl_vcn_to_lcn() and related helpers rely on.
>
> A crafted NTFS image with a single 8-byte run-length of S64_MAX
> triggers this when lowest_vcn > 0, leading to incorrect LCN lookups
> and potential reads/writes to wrong disk sectors.
>
> Add an overflow check before the addition and treat the on-disk data
> as corrupt (-EIO) when the result would exceed S64_MAX.
>
> Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
> ---
>  fs/ntfs/runlist.c | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ntfs/runlist.c b/fs/ntfs/runlist.c
> index b213b4976d2b..a32affb57d29 100644
> --- a/fs/ntfs/runlist.c
> +++ b/fs/ntfs/runlist.c
> @@ -823,7 +823,16 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
>                  * element.
>                  */
>                 rl[rlpos].length = deltaxcn;
> -               /* Increment the current vcn by the current run length. */
> +               /*
> +                * Increment the current vcn by the current run length.
> +                * Both are non-negative here; guard against s64 overflow
> +                * from a crafted mapping pairs array to preserve the
> +                * monotonically-increasing vcn invariant.
> +                */
> +               if (unlikely(deltaxcn > S64_MAX - vcn)) {
> +                       ntfs_error(vol->sb, "VCN overflow in mapping pairs array.");
> +                       goto err_out;
> +               }
>                 vcn += deltaxcn;

Could you use check_add_overflow() here?
In addition, attr->data.non_resident.lowest_vcn also needs to be
validated with overflows_type().

>                 /*
>                  * There might be no lcn change at all, as is the case for
> --
> 2.43.0
>
>


-- 
Thanks,
Hyunchul

[PATCH v2] ntfs: fix VCN overflow in ntfs_mapping_pairs_decompress()

[Zhan Xusheng]

In ntfs_mapping_pairs_decompress(), lowest_vcn is read from
on-disk metadata and used as the initial vcn without validation.
A malformed value can introduce an invalid (e.g. negative) vcn,
corrupting the runlist from the start.

Additionally, the accumulation
    vcn += deltaxcn

does not check for s64 overflow. A crafted mapping pairs array
can wrap vcn to a negative value, breaking the monotonically-
increasing invariant relied upon by ntfs_rl_vcn_to_lcn() and
related helpers.

Fix this by validating lowest_vcn and using check_add_overflow()
for vcn accumulation.

Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
---
v2:
 - Validate lowest_vcn from on-disk metadata
 - Use check_add_overflow() for vcn accumulation
---
 fs/ntfs/runlist.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/fs/ntfs/runlist.c b/fs/ntfs/runlist.c
index b213b4976d2b..ee68258ebffb 100644
--- a/fs/ntfs/runlist.c
+++ b/fs/ntfs/runlist.c
@@ -749,6 +749,12 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
 #endif
 	/* Start at vcn = lowest_vcn and lcn 0. */
 	vcn = le64_to_cpu(attr->data.non_resident.lowest_vcn);
+	/* Validate lowest_vcn from on-disk metadata to ensure it is sane. */
+	if (unlikely(vcn < 0)) {
+		ntfs_error(vol->sb, "Invalid lowest_vcn in mapping pairs.");
+		goto err_out;
+	}
+
 	lcn = 0;
 	/* Get start of the mapping pairs array. */
 	buf = (u8 *)attr +
@@ -823,8 +829,17 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
 		 * element.
 		 */
 		rl[rlpos].length = deltaxcn;
-		/* Increment the current vcn by the current run length. */
-		vcn += deltaxcn;
+		/*
+		 * Increment the current vcn by the current run length.
+		 * Guard against s64 overflow from a crafted mapping
+		 * pairs array to preserve the monotonically-increasing
+		 * vcn invariant.
+		 */
+		if (unlikely(check_add_overflow(vcn, deltaxcn, &vcn))) {
+			ntfs_error(vol->sb, "VCN overflow in mapping pairs array.");
+			goto err_out;
+		}
+
 		/*
 		 * There might be no lcn change at all, as is the case for
 		 * sparse clusters on NTFS 3.0+, in which case we set the lcn
-- 
2.43.0

Re: [PATCH v2] ntfs: fix VCN overflow in ntfs_mapping_pairs_decompress()

[Hyunchul Lee]

2026년 4월 22일 (수) 오후 6:47, Zhan Xusheng <zhanxusheng1024@gmail.com>님이 작성:
>
> In ntfs_mapping_pairs_decompress(), lowest_vcn is read from
> on-disk metadata and used as the initial vcn without validation.
> A malformed value can introduce an invalid (e.g. negative) vcn,
> corrupting the runlist from the start.
>
> Additionally, the accumulation
>     vcn += deltaxcn
>
> does not check for s64 overflow. A crafted mapping pairs array
> can wrap vcn to a negative value, breaking the monotonically-
> increasing invariant relied upon by ntfs_rl_vcn_to_lcn() and
> related helpers.
>
> Fix this by validating lowest_vcn and using check_add_overflow()
> for vcn accumulation.
>
> Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
> ---
> v2:
>  - Validate lowest_vcn from on-disk metadata
>  - Use check_add_overflow() for vcn accumulation
> ---
>  fs/ntfs/runlist.c | 19 +++++++++++++++++--
>  1 file changed, 17 insertions(+), 2 deletions(-)
>
> diff --git a/fs/ntfs/runlist.c b/fs/ntfs/runlist.c
> index b213b4976d2b..ee68258ebffb 100644
> --- a/fs/ntfs/runlist.c
> +++ b/fs/ntfs/runlist.c
> @@ -749,6 +749,12 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
>  #endif
>         /* Start at vcn = lowest_vcn and lcn 0. */
>         vcn = le64_to_cpu(attr->data.non_resident.lowest_vcn);
> +       /* Validate lowest_vcn from on-disk metadata to ensure it is sane. */
> +       if (unlikely(vcn < 0)) {
> +               ntfs_error(vol->sb, "Invalid lowest_vcn in mapping pairs.");
> +               goto err_out;
> +       }

How about using overflows_type() ?
And please include <linux/overflow.h>.

> +
>         lcn = 0;
>         /* Get start of the mapping pairs array. */
>         buf = (u8 *)attr +
> @@ -823,8 +829,17 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
>                  * element.
>                  */
>                 rl[rlpos].length = deltaxcn;
> -               /* Increment the current vcn by the current run length. */
> -               vcn += deltaxcn;
> +               /*
> +                * Increment the current vcn by the current run length.
> +                * Guard against s64 overflow from a crafted mapping
> +                * pairs array to preserve the monotonically-increasing
> +                * vcn invariant.
> +                */
> +               if (unlikely(check_add_overflow(vcn, deltaxcn, &vcn))) {
> +                       ntfs_error(vol->sb, "VCN overflow in mapping pairs array.");
> +                       goto err_out;
> +               }
> +
>                 /*
>                  * There might be no lcn change at all, as is the case for
>                  * sparse clusters on NTFS 3.0+, in which case we set the lcn
> --
> 2.43.0
>


-- 
Thanks,
Hyunchul

[PATCH v3] ntfs: fix VCN overflow in ntfs_mapping_pairs_decompress()

[Zhan Xusheng]

In ntfs_mapping_pairs_decompress(), lowest_vcn is read from
on-disk metadata and used as the initial vcn without validation.
A malformed value can introduce an invalid (e.g. negative) vcn,
corrupting the runlist from the start.

Additionally, the accumulation
    vcn += deltaxcn

does not check for s64 overflow. A crafted mapping pairs array
can wrap vcn to a negative value, breaking the monotonically-
increasing invariant relied upon by ntfs_rl_vcn_to_lcn() and
related helpers.

Fix this by validating lowest_vcn and using check_add_overflow()
for vcn accumulation.

Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
---
v3:
 - Use overflows_type() for lowest_vcn validation (Hyunchul)
v2:
 - Validate lowest_vcn from on-disk metadata
 - Use check_add_overflow() for vcn accumulation
---
 fs/ntfs/runlist.c | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/fs/ntfs/runlist.c b/fs/ntfs/runlist.c
index b213b4976d2b..be6ca3d374bb 100644
--- a/fs/ntfs/runlist.c
+++ b/fs/ntfs/runlist.c
@@ -15,6 +15,8 @@
  * Copyright (c) 2007-2022 Jean-Pierre Andre
  */
 
+#include <linux/overflow.h>
+
 #include "ntfs.h"
 #include "attrib.h"
 
@@ -739,6 +741,7 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
 	int rlsize;		/* Size of runlist buffer. */
 	u16 rlpos;		/* Current runlist position in units of struct runlist_elements. */
 	u8 b;			/* Current byte offset in buf. */
+	u64 lowest_vcn;		/* Raw on-disk lowest_vcn. */
 
 #ifdef DEBUG
 	/* Make sure attr exists and is non-resident. */
@@ -747,8 +750,14 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
 		return ERR_PTR(-EINVAL);
 	}
 #endif
+	lowest_vcn = le64_to_cpu(attr->data.non_resident.lowest_vcn);
+	/* Validate lowest_vcn from on-disk metadata to ensure it is sane. */
+	if (overflows_type(lowest_vcn, vcn)) {
+		ntfs_error(vol->sb, "Invalid lowest_vcn in mapping pairs.");
+		goto err_out;
+	}
 	/* Start at vcn = lowest_vcn and lcn 0. */
-	vcn = le64_to_cpu(attr->data.non_resident.lowest_vcn);
+	vcn = lowest_vcn;
 	lcn = 0;
 	/* Get start of the mapping pairs array. */
 	buf = (u8 *)attr +
@@ -823,8 +832,17 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
 		 * element.
 		 */
 		rl[rlpos].length = deltaxcn;
-		/* Increment the current vcn by the current run length. */
-		vcn += deltaxcn;
+		/*
+		 * Increment the current vcn by the current run length.
+		 * Guard against s64 overflow from a crafted mapping
+		 * pairs array to preserve the monotonically-increasing
+		 * vcn invariant.
+		 */
+		if (unlikely(check_add_overflow(vcn, deltaxcn, &vcn))) {
+			ntfs_error(vol->sb, "VCN overflow in mapping pairs array.");
+			goto err_out;
+		}
+
 		/*
 		 * There might be no lcn change at all, as is the case for
 		 * sparse clusters on NTFS 3.0+, in which case we set the lcn
-- 
2.43.0

Re: [PATCH v2] ntfs: fix VCN overflow in ntfs_mapping_pairs_decompress()

[Hyunchul Lee]

2026년 4월 23일 (목) 오전 8:57, Hyunchul Lee <hyc.lee@gmail.com>님이 작성:
>
> 2026년 4월 22일 (수) 오후 6:47, Zhan Xusheng <zhanxusheng1024@gmail.com>님이 작성:
> >
> > In ntfs_mapping_pairs_decompress(), lowest_vcn is read from
> > on-disk metadata and used as the initial vcn without validation.
> > A malformed value can introduce an invalid (e.g. negative) vcn,
> > corrupting the runlist from the start.
> >
> > Additionally, the accumulation
> >     vcn += deltaxcn
> >
> > does not check for s64 overflow. A crafted mapping pairs array
> > can wrap vcn to a negative value, breaking the monotonically-
> > increasing invariant relied upon by ntfs_rl_vcn_to_lcn() and
> > related helpers.
> >
> > Fix this by validating lowest_vcn and using check_add_overflow()
> > for vcn accumulation.
> >
> > Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
> > ---
> > v2:
> >  - Validate lowest_vcn from on-disk metadata
> >  - Use check_add_overflow() for vcn accumulation
> > ---
> >  fs/ntfs/runlist.c | 19 +++++++++++++++++--
> >  1 file changed, 17 insertions(+), 2 deletions(-)
> >
> > diff --git a/fs/ntfs/runlist.c b/fs/ntfs/runlist.c
> > index b213b4976d2b..ee68258ebffb 100644
> > --- a/fs/ntfs/runlist.c
> > +++ b/fs/ntfs/runlist.c
> > @@ -749,6 +749,12 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
> >  #endif
> >         /* Start at vcn = lowest_vcn and lcn 0. */
> >         vcn = le64_to_cpu(attr->data.non_resident.lowest_vcn);
> > +       /* Validate lowest_vcn from on-disk metadata to ensure it is sane. */
> > +       if (unlikely(vcn < 0)) {
> > +               ntfs_error(vol->sb, "Invalid lowest_vcn in mapping pairs.");
> > +               goto err_out;
> > +       }
>
> How about using overflows_type() ?
> And please include <linux/overflow.h>.

Just a gentle ping.
Please let me know your thoughts.

>
> > +
> >         lcn = 0;
> >         /* Get start of the mapping pairs array. */
> >         buf = (u8 *)attr +
> > @@ -823,8 +829,17 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
> >                  * element.
> >                  */
> >                 rl[rlpos].length = deltaxcn;
> > -               /* Increment the current vcn by the current run length. */
> > -               vcn += deltaxcn;
> > +               /*
> > +                * Increment the current vcn by the current run length.
> > +                * Guard against s64 overflow from a crafted mapping
> > +                * pairs array to preserve the monotonically-increasing
> > +                * vcn invariant.
> > +                */
> > +               if (unlikely(check_add_overflow(vcn, deltaxcn, &vcn))) {
> > +                       ntfs_error(vol->sb, "VCN overflow in mapping pairs array.");
> > +                       goto err_out;
> > +               }
> > +
> >                 /*
> >                  * There might be no lcn change at all, as is the case for
> >                  * sparse clusters on NTFS 3.0+, in which case we set the lcn
> > --
> > 2.43.0
> >
>
>
> --
> Thanks,
> Hyunchul



-- 
Thanks,
Hyunchul

Re: [PATCH v3] ntfs: fix VCN overflow in ntfs_mapping_pairs_decompress()

[Hyunchul Lee]

Hello Zhan,

On Thu, Apr 23, 2026 at 12:52:26PM +0800, Zhan Xusheng wrote:
> In ntfs_mapping_pairs_decompress(), lowest_vcn is read from
> on-disk metadata and used as the initial vcn without validation.
> A malformed value can introduce an invalid (e.g. negative) vcn,
> corrupting the runlist from the start.
> 
> Additionally, the accumulation
>     vcn += deltaxcn
> 
> does not check for s64 overflow. A crafted mapping pairs array
> can wrap vcn to a negative value, breaking the monotonically-
> increasing invariant relied upon by ntfs_rl_vcn_to_lcn() and
> related helpers.
> 
> Fix this by validating lowest_vcn and using check_add_overflow()
> for vcn accumulation.
> 
> Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>

The recipient is wrong.
Anyway looks good to me.

Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>

> ---
> v3:
>  - Use overflows_type() for lowest_vcn validation (Hyunchul)
> v2:
>  - Validate lowest_vcn from on-disk metadata
>  - Use check_add_overflow() for vcn accumulation
> ---
>  fs/ntfs/runlist.c | 24 +++++++++++++++++++++---
>  1 file changed, 21 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/ntfs/runlist.c b/fs/ntfs/runlist.c
> index b213b4976d2b..be6ca3d374bb 100644
> --- a/fs/ntfs/runlist.c
> +++ b/fs/ntfs/runlist.c
> @@ -15,6 +15,8 @@
>   * Copyright (c) 2007-2022 Jean-Pierre Andre
>   */
>  
> +#include <linux/overflow.h>
> +
>  #include "ntfs.h"
>  #include "attrib.h"
>  
> @@ -739,6 +741,7 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
>  	int rlsize;		/* Size of runlist buffer. */
>  	u16 rlpos;		/* Current runlist position in units of struct runlist_elements. */
>  	u8 b;			/* Current byte offset in buf. */
> +	u64 lowest_vcn;		/* Raw on-disk lowest_vcn. */
>  
>  #ifdef DEBUG
>  	/* Make sure attr exists and is non-resident. */
> @@ -747,8 +750,14 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
>  		return ERR_PTR(-EINVAL);
>  	}
>  #endif
> +	lowest_vcn = le64_to_cpu(attr->data.non_resident.lowest_vcn);
> +	/* Validate lowest_vcn from on-disk metadata to ensure it is sane. */
> +	if (overflows_type(lowest_vcn, vcn)) {
> +		ntfs_error(vol->sb, "Invalid lowest_vcn in mapping pairs.");
> +		goto err_out;
> +	}
>  	/* Start at vcn = lowest_vcn and lcn 0. */
> -	vcn = le64_to_cpu(attr->data.non_resident.lowest_vcn);
> +	vcn = lowest_vcn;
>  	lcn = 0;
>  	/* Get start of the mapping pairs array. */
>  	buf = (u8 *)attr +
> @@ -823,8 +832,17 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
>  		 * element.
>  		 */
>  		rl[rlpos].length = deltaxcn;
> -		/* Increment the current vcn by the current run length. */
> -		vcn += deltaxcn;
> +		/*
> +		 * Increment the current vcn by the current run length.
> +		 * Guard against s64 overflow from a crafted mapping
> +		 * pairs array to preserve the monotonically-increasing
> +		 * vcn invariant.
> +		 */
> +		if (unlikely(check_add_overflow(vcn, deltaxcn, &vcn))) {
> +			ntfs_error(vol->sb, "VCN overflow in mapping pairs array.");
> +			goto err_out;
> +		}
> +
>  		/*
>  		 * There might be no lcn change at all, as is the case for
>  		 * sparse clusters on NTFS 3.0+, in which case we set the lcn
> -- 
> 2.43.0
> 
> 

-- 
Thanks,
Hyunchul

Re: [PATCH v3] ntfs: fix VCN overflow in ntfs_mapping_pairs_decompress()

[Namjae Jeon]

On Thu, Apr 23, 2026 at 1:52 PM Zhan Xusheng <zhanxusheng1024@gmail.com> wrote:
>
> In ntfs_mapping_pairs_decompress(), lowest_vcn is read from
> on-disk metadata and used as the initial vcn without validation.
> A malformed value can introduce an invalid (e.g. negative) vcn,
> corrupting the runlist from the start.
>
> Additionally, the accumulation
>     vcn += deltaxcn
>
> does not check for s64 overflow. A crafted mapping pairs array
> can wrap vcn to a negative value, breaking the monotonically-
> increasing invariant relied upon by ntfs_rl_vcn_to_lcn() and
> related helpers.
>
> Fix this by validating lowest_vcn and using check_add_overflow()
> for vcn accumulation.
>
> Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Applied it to #ntfs-next.
Thanks!