ntfs3: fix integer overflow in run_unpack() volume boundary check

The volume boundary check `lcn + len > sbi->used.bitmap.nbits` uses raw
addition which can wrap around for large lcn and len values, bypassing
the validation.  Use check_add_overflow() as is already done for the
adjacent prev_lcn + dlcn and vcn64 + len checks added by commit
3ac37e100385 ("ntfs3: Fix integer overflow in run_unpack()").

Found by fuzzing with a source-patched harness (LibAFL + QEMU).

Fixes: 82cae269cfa95 ("fs/ntfs3: Add initialization of super block")
Cc: stable@vger.kernel.org
Signed-off-by: Tobias Gaertner <tob.gaertner@me.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>

diff --git a/fs/ntfs3/run.c b/fs/ntfs3/run.c
index 29817ecb1c7d4f946074b48f1232881373bc082b..1ce7d92fb27482eb91f48582b4b38a70d18842ef 100644 (file)
--- a/fs/ntfs3/run.c
+++ b/fs/ntfs3/run.c
@@ -1065,9 +1065,15 @@ int run_unpack(struct runs_tree *run, struct ntfs_sb_info *sbi, CLST ino,
                        return -EOPNOTSUPP;
                }
 #endif
-               if (lcn != SPARSE_LCN64 && lcn + len > sbi->used.bitmap.nbits) {
-                       /* LCN range is out of volume. */
-                       return -EINVAL;
+               if (lcn != SPARSE_LCN64) {
+                       u64 lcn_end;
+
+                       if (check_add_overflow(lcn, len, &lcn_end))
+                               return -EINVAL;
+                       if (lcn_end > sbi->used.bitmap.nbits) {
+                               /* LCN range is out of volume. */
+                               return -EINVAL;
+                       }
                }
 
                if (!run)