[PATCH 0/2] ntfs3: fix OOB read and integer overflow in run_unpack()

Next message: tobgaertner: "[PATCH 1/2] ntfs3: add buffer boundary checks to run_unpack()"
Previous message: kernel test robot: "[tip:timers/core] BUILD SUCCESS e9fb60a780fe7eae6a5d73e647208b2a7d3e3b54"
Next in thread: tobgaertner: "[PATCH 1/2] ntfs3: add buffer boundary checks to run_unpack()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: tobgaertner

Date: Sun Mar 29 2026 - 07:17:24 EST

From: Tobias Gaertner <tob.gaertner@xxxxxx>

Two bugs in run_unpack() found by fuzzing with a source-patched harness
(LibAFL + QEMU ARM64 system-mode):

Patch 1: run_unpack() checks `run_buf < run_last` at the loop top but
then reads size_size and offset_size bytes via run_unpack_s64() without
verifying they fit in the remaining buffer. A crafted NTFS image with
truncated run data triggers a heap OOB read of up to 15 bytes on mount.

Patch 2: The volume boundary check `lcn + len > sbi->used.bitmap.nbits`
uses raw addition that can wrap for large values, bypassing the
validation. CVE-2025-40068 added check_add_overflow() for adjacent
arithmetic but missed this instance.

Both bugs are present since NTFS3 was merged in 5.15.

Could CVE IDs be assigned for these two issues?

tobgaertner (2):
ntfs3: add buffer boundary checks to run_unpack()
ntfs3: fix integer overflow in run_unpack() volume boundary check

fs/ntfs3/run.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)

--
2.43.0