ntfs3: bound to_move in indx_insert_into_root before hdr_insert_head

indx_insert_into_root() promotes a full resident $INDEX_ROOT into
$INDEX_ALLOCATION and copies all non-last resident root entries into
a newly allocated INDEX_BUFFER via hdr_insert_head(). The source
byte count 'to_move' is summed from the on-disk resident entry sizes
and is independent of the destination buffer size, which comes from
root->index_block_size (via indx->index_bits).

A crafted NTFS image that keeps a valid, full resident root but
shrinks root->index_block_size down to 512 after the root has been
populated makes hdr_insert_head() memcpy attacker-controlled resident
entry bytes past the end of the kmalloc(1u << indx->index_bits)
allocation returned by indx_new(). For a 512-byte destination and a
resident root whose non-last entries total 560 bytes, the memcpy
overruns by 120 bytes and a following memmove extends the highest
written offset to 136 bytes past the allocation. The overflow bytes
are a direct copy of on-disk entries (via kmemdup), so they are
fully attacker-controlled.

The write is reachable from unprivileged open(O_CREAT) on a mounted
crafted NTFS image: a single sufficiently long create in a directory
whose resident root is already full forces root promotion and
triggers the copy.

This is a controlled out-of-bounds write of 120-136 bytes past a
kmalloc(index_block_size) allocation, with attacker-controlled
content. It is a bounded adjacent-heap corruption primitive; it is
not an arbitrary-address write. Successful exploitation into a named
victim object depends on the surrounding slab layout.

Reject the copy at the sink. The destination's INDEX_HDR already
reports hdr_total (the payload capacity of the new buffer) and
hdr_used (the bytes already consumed by the terminal END entry
installed by indx_new()); require that to_move fits in the remaining
payload before calling hdr_insert_head(). On mismatch, fail with
-EINVAL and mark the filesystem as having a detected on-disk
inconsistency, which is the same behaviour as the surrounding
validation in this function.

Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>

diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
index dbf5ec00b2376f7d4f986e03e6433ec50f2ee32f..5868964e129c18a19d5226a7e7543a11e7651b74 100644 (file)
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -1742,6 +1742,22 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
        hdr_used = le32_to_cpu(hdr->used);
        hdr_total = le32_to_cpu(hdr->total);
 
+       /*
+        * The destination INDEX_BUFFER has 'hdr_total' bytes of payload
+        * available after the header, of which 'hdr_used' are already
+        * consumed by the single terminal END entry installed by
+        * indx_new(). A crafted image can present a resident root whose
+        * non-last entries (summing to 'to_move') exceed what fits in
+        * this buffer; copying them unchecked would overrun the
+        * kmalloc(1u << indx->index_bits) allocation backing the new
+        * buffer. Reject the copy in that case.
+        */
+       if (to_move > hdr_total - hdr_used) {
+               err = -EINVAL;
+               ntfs_set_state(sbi, NTFS_DIRTY_ERROR);
+               goto out_put_n;
+       }
+
        /* Copy root entries into new buffer. */
        hdr_insert_head(hdr, re, to_move);