Re: [PATCH v3] ntfs: fix VCN overflow in ntfs_mapping_pairs_decompress()

Next message: Gary Guo: "Re: [PATCH] rust: module_param: use `pr_warn_once!` for null pointer warning"
Previous message: Andy Shevchenko: "Re: [PATCH v2 0/4] phy: phy-can-transceiver: Ad-hoc cleanups and refactoring"
In reply to: Hyunchul Lee: "Re: [PATCH v3] ntfs: fix VCN overflow in ntfs_mapping_pairs_decompress()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Namjae Jeon

Date: Mon Apr 27 2026 - 09:36:45 EST

On Thu, Apr 23, 2026 at 1:52 PM Zhan Xusheng <zhanxusheng1024@xxxxxxxxx> wrote:
>
> In ntfs_mapping_pairs_decompress(), lowest_vcn is read from
> on-disk metadata and used as the initial vcn without validation.
> A malformed value can introduce an invalid (e.g. negative) vcn,
> corrupting the runlist from the start.
>
> Additionally, the accumulation
> vcn += deltaxcn
>
> does not check for s64 overflow. A crafted mapping pairs array
> can wrap vcn to a negative value, breaking the monotonically-
> increasing invariant relied upon by ntfs_rl_vcn_to_lcn() and
> related helpers.
>
> Fix this by validating lowest_vcn and using check_add_overflow()
> for vcn accumulation.
>
> Signed-off-by: Zhan Xusheng <zhanxusheng@xxxxxxxxxx>
Applied it to #ntfs-next.
Thanks!