Re: [PATCH v2] ntfs: fix VCN overflow in ntfs_mapping_pairs_decompress()

[Hyunchul Lee]

2026년 4월 23일 (목) 오전 8:57, Hyunchul Lee <hyc.lee@xxxxxxxxx>님이 작성:
>
> 2026년 4월 22일 (수) 오후 6:47, Zhan Xusheng <zhanxusheng1024@xxxxxxxxx>님이 작성:
> >
> > In ntfs_mapping_pairs_decompress(), lowest_vcn is read from
> > on-disk metadata and used as the initial vcn without validation.
> > A malformed value can introduce an invalid (e.g. negative) vcn,
> > corrupting the runlist from the start.
> >
> > Additionally, the accumulation
> >     vcn += deltaxcn
> >
> > does not check for s64 overflow. A crafted mapping pairs array
> > can wrap vcn to a negative value, breaking the monotonically-
> > increasing invariant relied upon by ntfs_rl_vcn_to_lcn() and
> > related helpers.
> >
> > Fix this by validating lowest_vcn and using check_add_overflow()
> > for vcn accumulation.
> >
> > Signed-off-by: Zhan Xusheng <zhanxusheng@xxxxxxxxxx>
> > ---
> > v2:
> >  - Validate lowest_vcn from on-disk metadata
> >  - Use check_add_overflow() for vcn accumulation
> > ---
> >  fs/ntfs/runlist.c | 19 +++++++++++++++++--
> >  1 file changed, 17 insertions(+), 2 deletions(-)
> >
> > diff --git a/fs/ntfs/runlist.c b/fs/ntfs/runlist.c
> > index b213b4976d2b..ee68258ebffb 100644
> > --- a/fs/ntfs/runlist.c
> > +++ b/fs/ntfs/runlist.c
> > @@ -749,6 +749,12 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
> >  #endif
> >         /* Start at vcn = lowest_vcn and lcn 0. */
> >         vcn = le64_to_cpu(attr->data.non_resident.lowest_vcn);
> > +       /* Validate lowest_vcn from on-disk metadata to ensure it is sane. */
> > +       if (unlikely(vcn < 0)) {
> > +               ntfs_error(vol->sb, "Invalid lowest_vcn in mapping pairs.");
> > +               goto err_out;
> > +       }
>
> How about using overflows_type() ?
> And please include <linux/overflow.h>.

Just a gentle ping.
Please let me know your thoughts.

>
> > +
> >         lcn = 0;
> >         /* Get start of the mapping pairs array. */
> >         buf = (u8 *)attr +
> > @@ -823,8 +829,17 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
> >                  * element.
> >                  */
> >                 rl[rlpos].length = deltaxcn;
> > -               /* Increment the current vcn by the current run length. */
> > -               vcn += deltaxcn;
> > +               /*
> > +                * Increment the current vcn by the current run length.
> > +                * Guard against s64 overflow from a crafted mapping
> > +                * pairs array to preserve the monotonically-increasing
> > +                * vcn invariant.
> > +                */
> > +               if (unlikely(check_add_overflow(vcn, deltaxcn, &vcn))) {
> > +                       ntfs_error(vol->sb, "VCN overflow in mapping pairs array.");
> > +                       goto err_out;
> > +               }
> > +
> >                 /*
> >                  * There might be no lcn change at all, as is the case for
> >                  * sparse clusters on NTFS 3.0+, in which case we set the lcn
> > --
> > 2.43.0
> >
>
>
> --
> Thanks,
> Hyunchul



-- 
Thanks,
Hyunchul