[PATCH] ntfs3: bound to_move in indx_insert_into_root before hdr_insert_head

[PATCH] ntfs3: bound to_move in indx_insert_into_root before hdr_insert_head

[Michael Bommarito]

indx_insert_into_root() promotes a full resident $INDEX_ROOT into
$INDEX_ALLOCATION and copies all non-last resident root entries into
a newly allocated INDEX_BUFFER via hdr_insert_head(). The source
byte count 'to_move' is summed from the on-disk resident entry sizes
and is independent of the destination buffer size, which comes from
root->index_block_size (via indx->index_bits).

A crafted NTFS image that keeps a valid, full resident root but
shrinks root->index_block_size down to 512 after the root has been
populated makes hdr_insert_head() memcpy attacker-controlled resident
entry bytes past the end of the kmalloc(1u << indx->index_bits)
allocation returned by indx_new(). For a 512-byte destination and a
resident root whose non-last entries total 560 bytes, the memcpy
overruns by 120 bytes and a following memmove extends the highest
written offset to 136 bytes past the allocation. The overflow bytes
are a direct copy of on-disk entries (via kmemdup), so they are
fully attacker-controlled.

The write is reachable from unprivileged open(O_CREAT) on a mounted
crafted NTFS image: a single sufficiently long create in a directory
whose resident root is already full forces root promotion and
triggers the copy.

This is a controlled out-of-bounds write of 120-136 bytes past a
kmalloc(index_block_size) allocation, with attacker-controlled
content. It is a bounded adjacent-heap corruption primitive; it is
not an arbitrary-address write. Successful exploitation into a named
victim object depends on the surrounding slab layout.

Reject the copy at the sink. The destination's INDEX_HDR already
reports hdr_total (the payload capacity of the new buffer) and
hdr_used (the bytes already consumed by the terminal END entry
installed by indx_new()); require that to_move fits in the remaining
payload before calling hdr_insert_head(). On mismatch, fail with
-EINVAL and mark the filesystem as having a detected on-disk
inconsistency, which is the same behaviour as the surrounding
validation in this function.

Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---

 - FYI, like the sp_size patch, I have a larger refactor that might
   make this easier to avoid long term.  It's a mount-time variant
   that adds the cross-check between root->index_block_size and
   the resident root attribute size to indx_init() instead of the
   sink, closing the whole "root entries do not fit declared
   index_block_size" class for any future caller that reaches
   hdr_insert_head from elsewhere.  Happy to send it as v2 if
   you prefer the wider change;  otherwise, this minimal guard is
   scoped to the minimal memcpy overrun site and is easier to
   backport.

 fs/ntfs3/index.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
index 2c43e7c27861..b7633b721d19 100644
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -1740,6 +1740,22 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
 	hdr_used = le32_to_cpu(hdr->used);
 	hdr_total = le32_to_cpu(hdr->total);
 
+	/*
+	 * The destination INDEX_BUFFER has 'hdr_total' bytes of payload
+	 * available after the header, of which 'hdr_used' are already
+	 * consumed by the single terminal END entry installed by
+	 * indx_new(). A crafted image can present a resident root whose
+	 * non-last entries (summing to 'to_move') exceed what fits in
+	 * this buffer; copying them unchecked would overrun the
+	 * kmalloc(1u << indx->index_bits) allocation backing the new
+	 * buffer. Reject the copy in that case.
+	 */
+	if (to_move > hdr_total - hdr_used) {
+		err = -EINVAL;
+		ntfs_set_state(sbi, NTFS_DIRTY_ERROR);
+		goto out_put_n;
+	}
+
 	/* Copy root entries into new buffer. */
 	hdr_insert_head(hdr, re, to_move);
 
-- 
2.53.0

Re: [PATCH] ntfs3: bound to_move in indx_insert_into_root before hdr_insert_head

[Konstantin Komarov]

On 4/18/26 01:33, Michael Bommarito wrote:

> indx_insert_into_root() promotes a full resident $INDEX_ROOT into
> $INDEX_ALLOCATION and copies all non-last resident root entries into
> a newly allocated INDEX_BUFFER via hdr_insert_head(). The source
> byte count 'to_move' is summed from the on-disk resident entry sizes
> and is independent of the destination buffer size, which comes from
> root->index_block_size (via indx->index_bits).
>
> A crafted NTFS image that keeps a valid, full resident root but
> shrinks root->index_block_size down to 512 after the root has been
> populated makes hdr_insert_head() memcpy attacker-controlled resident
> entry bytes past the end of the kmalloc(1u << indx->index_bits)
> allocation returned by indx_new(). For a 512-byte destination and a
> resident root whose non-last entries total 560 bytes, the memcpy
> overruns by 120 bytes and a following memmove extends the highest
> written offset to 136 bytes past the allocation. The overflow bytes
> are a direct copy of on-disk entries (via kmemdup), so they are
> fully attacker-controlled.
>
> The write is reachable from unprivileged open(O_CREAT) on a mounted
> crafted NTFS image: a single sufficiently long create in a directory
> whose resident root is already full forces root promotion and
> triggers the copy.
>
> This is a controlled out-of-bounds write of 120-136 bytes past a
> kmalloc(index_block_size) allocation, with attacker-controlled
> content. It is a bounded adjacent-heap corruption primitive; it is
> not an arbitrary-address write. Successful exploitation into a named
> victim object depends on the surrounding slab layout.
>
> Reject the copy at the sink. The destination's INDEX_HDR already
> reports hdr_total (the payload capacity of the new buffer) and
> hdr_used (the bytes already consumed by the terminal END entry
> installed by indx_new()); require that to_move fits in the remaining
> payload before calling hdr_insert_head(). On mismatch, fail with
> -EINVAL and mark the filesystem as having a detected on-disk
> inconsistency, which is the same behaviour as the surrounding
> validation in this function.
>
> Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
> Cc: stable@vger.kernel.org
> Assisted-by: Claude:claude-opus-4-7
> Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
> ---
>
>   - FYI, like the sp_size patch, I have a larger refactor that might
>     make this easier to avoid long term.  It's a mount-time variant
>     that adds the cross-check between root->index_block_size and
>     the resident root attribute size to indx_init() instead of the
>     sink, closing the whole "root entries do not fit declared
>     index_block_size" class for any future caller that reaches
>     hdr_insert_head from elsewhere.  Happy to send it as v2 if
>     you prefer the wider change;  otherwise, this minimal guard is
>     scoped to the minimal memcpy overrun site and is easier to
>     backport.
>
>   fs/ntfs3/index.c | 16 ++++++++++++++++
>   1 file changed, 16 insertions(+)
>
> diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
> index 2c43e7c27861..b7633b721d19 100644
> --- a/fs/ntfs3/index.c
> +++ b/fs/ntfs3/index.c
> @@ -1740,6 +1740,22 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
>   	hdr_used = le32_to_cpu(hdr->used);
>   	hdr_total = le32_to_cpu(hdr->total);
>   
> +	/*
> +	 * The destination INDEX_BUFFER has 'hdr_total' bytes of payload
> +	 * available after the header, of which 'hdr_used' are already
> +	 * consumed by the single terminal END entry installed by
> +	 * indx_new(). A crafted image can present a resident root whose
> +	 * non-last entries (summing to 'to_move') exceed what fits in
> +	 * this buffer; copying them unchecked would overrun the
> +	 * kmalloc(1u << indx->index_bits) allocation backing the new
> +	 * buffer. Reject the copy in that case.
> +	 */
> +	if (to_move > hdr_total - hdr_used) {
> +		err = -EINVAL;
> +		ntfs_set_state(sbi, NTFS_DIRTY_ERROR);
> +		goto out_put_n;
> +	}
> +
>   	/* Copy root entries into new buffer. */
>   	hdr_insert_head(hdr, re, to_move);
>   

Hello,

Sorry for the delay.
Your patch is queued for the next merge window, thanks.

Regards,
Konstantin