git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Jaehun Gou <p22gone@gmail.com>
	Tue, 2 Dec 2025 11:01:46 +0000 (20:01 +0900)
committer	Sasha Levin <sashal@kernel.org>
	Wed, 4 Mar 2026 12:20:44 +0000 (07:20 -0500)
commit	fd508939dbca5eceefb2d0c2564beb15469572f2
tree	ed567bfda1eea13317b6a7aabc23100b892fad93	tree \| snapshot
parent	3c3a6e951b9b53dab2ac460a655313cf04c4a10a	commit \| diff

fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST

[ Upstream commit 06909b2549d631a47fcda249d34be26f7ca1711d ]

We found an infinite loop bug in the ntfs3 file system that can lead to a
Denial-of-Service (DoS) condition.

A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute
indicates a zero data size while the driver allocates memory for it.

When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set
to zero, it still allocates memory because of al_aligned(0). This creates an
inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is
non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute
list exists and enumerates only the primary MFT record. When it finds
ATTR_LIST, the code reloads it and restarts the enumeration, repeating
indefinitely. The mount operation never completes, hanging the kernel thread.

This patch adds validation to ensure that data_size is non-zero before memory
allocation. When a zero-sized ATTR_LIST is detected, the function returns
-EINVAL, preventing a DoS vulnerability.

Co-developed-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Co-developed-by: Jihoon Kwon <kjh010315@gmail.com>
Signed-off-by: Jihoon Kwon <kjh010315@gmail.com>
Signed-off-by: Jaehun Gou <p22gone@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>