github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

ntfs: fix VCN overflow in ntfs_mapping_pairs_decompress()

Browse Source 
In ntfs_mapping_pairs_decompress(), lowest_vcn is read from
on-disk metadata and used as the initial vcn without validation.
A malformed value can introduce an invalid (e.g. negative) vcn,
corrupting the runlist from the start.

Additionally, the accumulation
    vcn += deltaxcn

does not check for s64 overflow. A crafted mapping pairs array
can wrap vcn to a negative value, breaking the monotonically-
increasing invariant relied upon by ntfs_rl_vcn_to_lcn() and
related helpers.

Fix this by validating lowest_vcn and using check_add_overflow()
for vcn accumulation.

Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
This commit is contained in:
Zhan Xusheng 2026-04-23 12:52:26 +08:00 committed by Namjae Jeon
parent 2dd8c1662e
commit cad7c6f0a5
1 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
fs/ntfs/runlist.c
View File

@ -15,6 +15,8 @@
* Copyright (c) 2007-2022 Jean-Pierre Andre
*/
#include <linux/overflow.h>
#include "ntfs.h"
#include "attrib.h"
@ -739,6 +741,7 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
int rlsize; /* Size of runlist buffer. */
u16 rlpos; /* Current runlist position in units of struct runlist_elements. */
u8 b; /* Current byte offset in buf. */
u64 lowest_vcn; /* Raw on-disk lowest_vcn. */
#ifdef DEBUG
/* Make sure attr exists and is non-resident. */
@ -747,8 +750,14 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
return ERR_PTR(-EINVAL);
}
#endif
lowest_vcn = le64_to_cpu(attr->data.non_resident.lowest_vcn);
/* Validate lowest_vcn from on-disk metadata to ensure it is sane. */
if (overflows_type(lowest_vcn, vcn)) {
ntfs_error(vol->sb, "Invalid lowest_vcn in mapping pairs.");
goto err_out;
}
/* Start at vcn = lowest_vcn and lcn 0. */
vcn = le64_to_cpu(attr->data.non_resident.lowest_vcn);
vcn = lowest_vcn;
lcn = 0;
/* Get start of the mapping pairs array. */
buf = (u8 *)attr +
@ -823,8 +832,17 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
* element.
*/
rl[rlpos].length = deltaxcn;
/* Increment the current vcn by the current run length. */
vcn += deltaxcn;
/*
* Increment the current vcn by the current run length.
* Guard against s64 overflow from a crafted mapping
* pairs array to preserve the monotonically-increasing
* vcn invariant.
*/
if (unlikely(check_add_overflow(vcn, deltaxcn, &vcn))) {
ntfs_error(vol->sb, "VCN overflow in mapping pairs array.");
goto err_out;
}
/*
* There might be no lcn change at all, as is the case for
* sparse clusters on NTFS 3.0+, in which case we set the lcn