[PATCH 2/2] ntfs3: fix integer overflow in run_unpack() volume boundary check

Next message: Bryan O'Donoghue: "Re: [PATCH WIP v4 8/9] media: qcom: camss: csiphy-3ph: C-PHY needs own lane configuration"
Previous message: tobgaertner: "[PATCH 1/2] ntfs3: add buffer boundary checks to run_unpack()"
In reply to: tobgaertner: "[PATCH 1/2] ntfs3: add buffer boundary checks to run_unpack()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: tobgaertner

Date: Sun Mar 29 2026 - 07:18:26 EST

From: Tobias Gaertner <tob.gaertner@xxxxxx>

The volume boundary check `lcn + len > sbi->used.bitmap.nbits` uses raw
addition which can wrap around for large lcn and len values, bypassing
the validation. Use check_add_overflow() as is already done for the
adjacent prev_lcn + dlcn and vcn64 + len checks added by commit
3ac37e100385 ("ntfs3: Fix integer overflow in run_unpack()").

Found by fuzzing with a source-patched harness (LibAFL + QEMU).

Fixes: 82cae269cfa95 ("fs/ntfs3: Add initialization of super block")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Tobias Gaertner <tob.gaertner@xxxxxx>
---
fs/ntfs3/run.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/fs/ntfs3/run.c b/fs/ntfs3/run.c
index c3c6917fa..a68000bd4 100644
--- a/fs/ntfs3/run.c
+++ b/fs/ntfs3/run.c
@@ -1027,9 +1027,15 @@ int run_unpack(struct runs_tree *run, struct ntfs_sb_info *sbi, CLST ino,
return -EOPNOTSUPP;
}
#endif
- if (lcn != SPARSE_LCN64 && lcn + len > sbi->used.bitmap.nbits) {
- /* LCN range is out of volume. */
- return -EINVAL;
+ if (lcn != SPARSE_LCN64) {
+ u64 lcn_end;
+
+ if (check_add_overflow(lcn, len, &lcn_end))
+ return -EINVAL;
+ if (lcn_end > sbi->used.bitmap.nbits) {
+ /* LCN range is out of volume. */
+ return -EINVAL;
+ }
}

if (!run)
--
2.43.0