From: rtm@csail.mit.edu
To: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Cc: ntfs3@lists.linux.dev
Subject: buffer overflow in ntfs3's log_replay()
Date: Sun, 25 Jan 2026 17:14:32 -0500 [thread overview]
Message-ID: <42774.1769379272@localhost> (raw)
Below is a demo in which a corrupt NTFS image mounted r/w with ntfs3
causes log_replay() to allocate 112 bytes for ra at line 4029:
ra = kzalloc(log->restart_size, GFP_NOFS);
but then copies 96 bytes to ra at offset 64 at line 4041:
memcpy(ra->clients, Add2Ptr(ra2, t16),
le16_to_cpu(ra2->ra_len) - t16);
log->restart_size is 112, ra2->ra_len is 112, and t16 (really
ra2->client_off) is 16.
To reproduce:
# uname -a
Linux ubuntu66 6.19.0-rc6-00447-g4dc00a84391e #39 SMP PREEMPT_DYNAMIC Sun Jan 25 16:32:13 EST 2026 x86_64 x86_64 x86_64 GNU/Linux
# wget http://www.rtmrtm.org/rtm/ntfs30a.img.gz
# gunzip ntfs30a.img.gz
# mount -t ntfs3 -o loop,rw ntfs30a.img /mnt
[Right Redzone overwritten] 0xffff8881097bd600-0xffff8881097bd607 @offset=5632. First byte 0xff instead of 0xcc
=============================================================================
BUG kmalloc-128 (Not tainted): Object corrupt
-----------------------------------------------------------------------------
Allocated in 0xffffffffffffffff age=0 cpu=4294967295 pid=1330
Freed in free_rb_tree_fname+0x42/0x70 age=20073 cpu=1 pid=413
Slab 0xffffea000425ef00 objects=21 used=15 fp=0xffff8881097bda00 flags=0x200000000000240(workingset|head|node=0|zone=2)
Object 0xffff8881097bd580 @offset=5504 fp=0xffffffffffffffff
Redzone ffff8881097bd500: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff8881097bd510: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff8881097bd520: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff8881097bd530: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff8881097bd540: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff8881097bd550: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff8881097bd560: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff8881097bd570: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Object ffff8881097bd580: 7f 08 00 e0 ff ff ff ff 01 00 ff ff 00 00 ff ff ................
Object ffff8881097bd590: 43 00 00 00 a0 00 40 00 00 00 00 00 00 00 00 00 C.....@.........
Object ffff8881097bd5a0: ff ff ff ff f8 ff f8 ff 42 ad 60 44 ff ff ff ff ........B.`D....
Object ffff8881097bd5b0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Object ffff8881097bd5c0: 43 00 00 00 70 00 10 00 00 00 00 00 00 00 00 00 C...p...........
Object ffff8881097bd5d0: ff ff ff ff f8 ff f8 ff ff ff ff ff ff ff ff ff ................
Object ffff8881097bd5e0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Object ffff8881097bd5f0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Redzone ffff8881097bd600: ff ff ff ff ff ff ff ff ........
Padding ffff8881097bd654: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding ffff8881097bd664: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding ffff8881097bd674: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ
Robert Morris
rtm@mit.edu
next reply other threads:[~2026-01-25 22:40 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-25 22:14 rtm [this message]
2026-02-09 9:44 ` buffer overflow in ntfs3's log_replay() Konstantin Komarov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42774.1769379272@localhost \
--to=rtm@csail.mit.edu \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=ntfs3@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox