git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Zhan Xusheng <zhanxusheng@xiaomi.com>
	Thu, 23 Apr 2026 04:52:26 +0000 (12:52 +0800)
committer	Namjae Jeon <linkinjeon@kernel.org>
	Mon, 27 Apr 2026 13:31:19 +0000 (22:31 +0900)
commit	cad7c6f0a5147680dd2081256cf8da54fb445d94
tree	04aeada317bbfa796dff92fba3e0d74184c2b13a	tree \| snapshot
parent	2dd8c1662e38f7bb68a102f1acad9b518c09aeab	commit \| diff

ntfs: fix VCN overflow in ntfs_mapping_pairs_decompress()

In ntfs_mapping_pairs_decompress(), lowest_vcn is read from
on-disk metadata and used as the initial vcn without validation.
A malformed value can introduce an invalid (e.g. negative) vcn,
corrupting the runlist from the start.

Additionally, the accumulation
vcn += deltaxcn

does not check for s64 overflow. A crafted mapping pairs array
can wrap vcn to a negative value, breaking the monotonically-
increasing invariant relied upon by ntfs_rl_vcn_to_lcn() and
related helpers.

Fix this by validating lowest_vcn and using check_add_overflow()
for vcn accumulation.

Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>