git.ipfire.org Git - thirdparty/kernel/linux.git/commit

fs/ntfs3: add bounds check to run_get_highest_vcn()

run_get_highest_vcn() parses a packed NTFS mapping-pairs buffer without
any length bound, relying solely on a 0x00 terminator to stop.  A
crafted $LogFile UpdateMappingPairs record whose embedded attribute
contains mapping-pairs runs without a terminator causes the function to
read past the slab allocation, triggering a KASAN slab-out-of-bounds
read on mount.

The sibling function run_unpack() received an analogous bounds-check in
commit b62567bca474 ("ntfs3: add buffer boundary checks to run_unpack()"),
but run_get_highest_vcn() was missed.

Take a run_buf_size parameter and reject any run header whose payload
would extend past the buffer end, mirroring the pattern used by
run_unpack().  The caller in fslog.c passes the remaining attribute
bytes after the mapping-pairs offset.

KASAN report (on mainline v7.1 merge window HEAD):

  BUG: KASAN: slab-out-of-bounds in run_get_highest_vcn+0x3c0/0x410
  Read of size 1 at addr ffff88800e2d5400 by task mount/72
  Call Trace:
   run_get_highest_vcn+0x3c0/0x410
   do_action.isra.0+0x3ba8/0x7b50
   log_replay+0x9ddd/0x10200
   ntfs_loadlog_and_replay+0x4ad/0x610
   ntfs_fill_super+0x214a/0x4540

Fixes: b62567bca474 ("ntfs3: add buffer boundary checks to run_unpack()")
Signed-off-by: Jaeyeong Lee <lee@jaeyeong.cc>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>

author	Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
	Thu, 30 Apr 2026 12:30:13 +0000 (14:30 +0200)
committer	Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
	Tue, 2 Jun 2026 15:02:23 +0000 (17:02 +0200)
commit	bb11485a87fbb2254b62cfed630b699d50e57da8
tree	1c7a703d7e9910939514dafa73a4a226818e599d	tree \| snapshot
parent	f1df9d771df47aa40de6d70949c28720ae1e430d	commit \| diff

fs/ntfs3/fslog.c		diff \| blob \| blame \| history
fs/ntfs3/ntfs_fs.h		diff \| blob \| blame \| history
fs/ntfs3/run.c		diff \| blob \| blame \| history