superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ntfs3: fix integer overflow in run_unpack() volume boundary check 

The volume boundary check `lcn + len > sbi->used.bitmap.nbits` uses raw
addition which can wrap around for large lcn and len values, bypassing
the validation.  Use check_add_overflow() as is already done for the
adjacent prev_lcn + dlcn and vcn64 + len checks added by commit
3ac37e100385 ("ntfs3: Fix integer overflow in run_unpack()").

Found by fuzzing with a source-patched harness (LibAFL + QEMU).

Fixes: 82cae269cf ("fs/ntfs3: Add initialization of super block")
Cc: stable@vger.kernel.org
Signed-off-by: Tobias Gaertner <tob.gaertner@me.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
master
Tobias Gaertner 2026-03-29 04:17:03 -07:00 committed by Konstantin Komarov
parent b62567bca4
commit 984a415f01
No known key found for this signature in database
GPG Key ID: A9B0331F832407B6
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
fs/ntfs3/run.c
View File

@ -1065,9 +1065,15 @@ int run_unpack(struct runs_tree *run, struct ntfs_sb_info *sbi, CLST ino,
return -EOPNOTSUPP;
}
#endif
if (lcn != SPARSE_LCN64 && lcn + len > sbi->used.bitmap.nbits) {
/* LCN range is out of volume. */
return -EINVAL;
if (lcn != SPARSE_LCN64) {
u64 lcn_end;
if (check_add_overflow(lcn, len, &lcn_end))
return -EINVAL;
if (lcn_end > sbi->used.bitmap.nbits) {
/* LCN range is out of volume. */
return -EINVAL;
}
}
if (!run)