tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ntfs3: add buffer boundary checks to run_unpack()

run_unpack() checks `run_buf < run_last` at the top of the while loop
but then reads size_size and offset_size bytes via run_unpack_s64()
without verifying they fit within the remaining buffer. A crafted NTFS
image with truncated run data in an MFT attribute triggers an OOB heap
read of up to 15 bytes when the filesystem is mounted.

Add boundary checks before each run_unpack_s64() call to ensure the
declared field size does not exceed the remaining buffer.

Found by fuzzing with a source-patched harness (LibAFL + QEMU).

Fixes: 82cae269cfa95 ("fs/ntfs3: Add initialization of super block")
Cc: stable@vger.kernel.org
Signed-off-by: Tobias Gaertner <tob.gaertner@me.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>

authored by

Tobias Gaertner and committed by
Konstantin Komarov b62567bc 6d979b64

+6
+6
fs/ntfs3/run.c
··· 1008 1008 if (size_size > sizeof(len)) 1009 1009 return -EINVAL; 1010 1010 1011 + if (run_buf + size_size > run_last) 1012 + return -EINVAL; 1013 + 1011 1014 len = run_unpack_s64(run_buf, size_size, 0); 1012 1015 /* Skip size_size. */ 1013 1016 run_buf += size_size; ··· 1022 1019 lcn = SPARSE_LCN64; 1023 1020 else if (offset_size <= sizeof(s64)) { 1024 1021 s64 dlcn; 1022 + 1023 + if (run_buf + offset_size > run_last) 1024 + return -EINVAL; 1025 1025 1026 1026 /* Initial value of dlcn is -1 or 0. */ 1027 1027 dlcn = (run_buf[offset_size - 1] & 0x80) ? (s64)-1 : 0;