buffer overflow in ntfs3's log

public inbox for ntfs3@lists.linux.dev
 help / color / mirror / Atom feed

* buffer overflow in ntfs3's log_replay()
@ 2026-01-25 22:14 rtm
  2026-02-09  9:44 ` Konstantin Komarov
  0 siblings, 1 reply; 2+ messages in thread
From: rtm @ 2026-01-25 22:14 UTC (permalink / raw)
  To: Konstantin Komarov; +Cc: ntfs3

Below is a demo in which a corrupt NTFS image mounted r/w with ntfs3
causes log_replay() to allocate 112 bytes for ra at line 4029:

        ra = kzalloc(log->restart_size, GFP_NOFS);

but then copies 96 bytes to ra at offset 64 at line 4041:

                memcpy(ra->clients, Add2Ptr(ra2, t16),
                       le16_to_cpu(ra2->ra_len) - t16);

log->restart_size is 112, ra2->ra_len is 112, and t16 (really
ra2->client_off) is 16.

To reproduce:

# uname -a
Linux ubuntu66 6.19.0-rc6-00447-g4dc00a84391e #39 SMP PREEMPT_DYNAMIC Sun Jan 25 16:32:13 EST 2026 x86_64 x86_64 x86_64 GNU/Linux
# wget http://www.rtmrtm.org/rtm/ntfs30a.img.gz
# gunzip ntfs30a.img.gz 
# mount -t ntfs3 -o loop,rw ntfs30a.img /mnt
[Right Redzone overwritten] 0xffff8881097bd600-0xffff8881097bd607 @offset=5632. First byte 0xff instead of 0xcc
=============================================================================
BUG kmalloc-128 (Not tainted): Object corrupt
-----------------------------------------------------------------------------
Allocated in 0xffffffffffffffff age=0 cpu=4294967295 pid=1330
Freed in free_rb_tree_fname+0x42/0x70 age=20073 cpu=1 pid=413
Slab 0xffffea000425ef00 objects=21 used=15 fp=0xffff8881097bda00 flags=0x200000000000240(workingset|head|node=0|zone=2)
Object 0xffff8881097bd580 @offset=5504 fp=0xffffffffffffffff
Redzone  ffff8881097bd500: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff8881097bd510: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff8881097bd520: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff8881097bd530: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff8881097bd540: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff8881097bd550: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff8881097bd560: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff8881097bd570: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Object   ffff8881097bd580: 7f 08 00 e0 ff ff ff ff 01 00 ff ff 00 00 ff ff  ................
Object   ffff8881097bd590: 43 00 00 00 a0 00 40 00 00 00 00 00 00 00 00 00  C.....@.........
Object   ffff8881097bd5a0: ff ff ff ff f8 ff f8 ff 42 ad 60 44 ff ff ff ff  ........B.`D....
Object   ffff8881097bd5b0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff8881097bd5c0: 43 00 00 00 70 00 10 00 00 00 00 00 00 00 00 00  C...p...........
Object   ffff8881097bd5d0: ff ff ff ff f8 ff f8 ff ff ff ff ff ff ff ff ff  ................
Object   ffff8881097bd5e0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff8881097bd5f0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Redzone  ffff8881097bd600: ff ff ff ff ff ff ff ff                          ........
Padding  ffff8881097bd654: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff8881097bd664: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff8881097bd674: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ

Robert Morris
rtm@mit.edu


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: buffer overflow in ntfs3's log_replay()
  2026-01-25 22:14 buffer overflow in ntfs3's log_replay() rtm
@ 2026-02-09  9:44 ` Konstantin Komarov
  0 siblings, 0 replies; 2+ messages in thread
From: Konstantin Komarov @ 2026-02-09  9:44 UTC (permalink / raw)
  To: rtm; +Cc: ntfs3

On 1/25/26 23:14, rtm@csail.mit.edu wrote:

> Below is a demo in which a corrupt NTFS image mounted r/w with ntfs3
> causes log_replay() to allocate 112 bytes for ra at line 4029:
>
>          ra = kzalloc(log->restart_size, GFP_NOFS);
>
> but then copies 96 bytes to ra at offset 64 at line 4041:
>
>                  memcpy(ra->clients, Add2Ptr(ra2, t16),
>                         le16_to_cpu(ra2->ra_len) - t16);
>
> log->restart_size is 112, ra2->ra_len is 112, and t16 (really
> ra2->client_off) is 16.
>
> To reproduce:
>
> # uname -a
> Linux ubuntu66 6.19.0-rc6-00447-g4dc00a84391e #39 SMP PREEMPT_DYNAMIC Sun Jan 25 16:32:13 EST 2026 x86_64 x86_64 x86_64 GNU/Linux
> # wget http://www.rtmrtm.org/rtm/ntfs30a.img.gz
> # gunzip ntfs30a.img.gz
> # mount -t ntfs3 -o loop,rw ntfs30a.img /mnt
> [Right Redzone overwritten] 0xffff8881097bd600-0xffff8881097bd607 @offset=5632. First byte 0xff instead of 0xcc
> =============================================================================
> BUG kmalloc-128 (Not tainted): Object corrupt
> -----------------------------------------------------------------------------
> Allocated in 0xffffffffffffffff age=0 cpu=4294967295 pid=1330
> Freed in free_rb_tree_fname+0x42/0x70 age=20073 cpu=1 pid=413
> Slab 0xffffea000425ef00 objects=21 used=15 fp=0xffff8881097bda00 flags=0x200000000000240(workingset|head|node=0|zone=2)
> Object 0xffff8881097bd580 @offset=5504 fp=0xffffffffffffffff
> Redzone  ffff8881097bd500: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
> Redzone  ffff8881097bd510: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
> Redzone  ffff8881097bd520: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
> Redzone  ffff8881097bd530: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
> Redzone  ffff8881097bd540: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
> Redzone  ffff8881097bd550: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
> Redzone  ffff8881097bd560: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
> Redzone  ffff8881097bd570: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
> Object   ffff8881097bd580: 7f 08 00 e0 ff ff ff ff 01 00 ff ff 00 00 ff ff  ................
> Object   ffff8881097bd590: 43 00 00 00 a0 00 40 00 00 00 00 00 00 00 00 00  C.....@.........
> Object   ffff8881097bd5a0: ff ff ff ff f8 ff f8 ff 42 ad 60 44 ff ff ff ff  ........B.`D....
> Object   ffff8881097bd5b0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
> Object   ffff8881097bd5c0: 43 00 00 00 70 00 10 00 00 00 00 00 00 00 00 00  C...p...........
> Object   ffff8881097bd5d0: ff ff ff ff f8 ff f8 ff ff ff ff ff ff ff ff ff  ................
> Object   ffff8881097bd5e0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
> Object   ffff8881097bd5f0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
> Redzone  ffff8881097bd600: ff ff ff ff ff ff ff ff                          ........
> Padding  ffff8881097bd654: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
> Padding  ffff8881097bd664: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
> Padding  ffff8881097bd674: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ
>
> Robert Morris
> rtm@mit.edu

Hello,

Sorry for the late reply — thank you for the report and the test image.
I’ll reproduce this locally and follow up with what I find.

Regards,
Konstantin


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-02-09  9:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-25 22:14 buffer overflow in ntfs3's log_replay() rtm
2026-02-09  9:44 ` Konstantin Komarov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox