git.ipfire.org Git - thirdparty/linux.git/commit

author	DaeMyung Kang <charsyam@gmail.com>
	Sat, 9 May 2026 06:12:37 +0000 (15:12 +0900)
committer	Namjae Jeon <linkinjeon@kernel.org>
	Sat, 9 May 2026 15:42:28 +0000 (00:42 +0900)
commit	b64f0ae5d47c0bd9581eb9cd59375a87f748dc00
tree	2df5b470f5f8f25a932f780d59bd4caf60ace63c	tree \| snapshot
parent	679ee5afd5b4764911656b4d4b83b9abee2b5572	commit \| diff

ntfs: validate attribute name bounds before returning it

ntfs_attr_find() validates a named attribute before comparing it with the
requested name, but that check is currently after the AT_UNUSED handling.
When callers enumerate attributes with AT_UNUSED, ntfs_attr_find() can
return a malformed named attribute before checking whether name_offset
and name_length stay within the attribute record.

Some enumeration callers use the returned attribute name pointer
directly.  For example, one path passes (attr + name_offset, name_length)
to ntfs_attr_iget(), where the name can later be copied according to
name_length.  A malformed on-disk name_offset/name_length pair should not
be exposed to those callers.

Move the existing name bounds validation before returning attributes
during AT_UNUSED enumeration, and write it as an offset/remaining-size
check so the subtraction cannot underflow.  Extract the converted values
into local variables (name_offset, attr_len, name_size) to make the
intent explicit and avoid repeating the endian conversions inside the
bounds check.  This keeps matching attributes on the same checked path
while also covering attribute enumeration.

A small userspace ASAN model with attr length=32, name_offset=124 and
name_length=8 reproduces a heap-buffer-overflow read in the old
enumeration path.  With this change the same malformed attribute is
rejected before the name pointer is returned to the caller.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>