Re: [PATCH 4/4] ntfs: add bounds check before accessing EA entries

[Hyunchul Lee]

2026년 5월 22일 (금) 오후 10:16, CharSyam <charsyam@xxxxxxxxx>님이 작성:
>
> Hi, Hyunchul.
>
>  Since the new in-loop check makes the pre-loop guard a duplicate
> condition, dropping it
> would be cleaner:
>
>   - ntfs_ea_lookup(): if (ea_buf_size < sizeof(struct ea_attr)) goto out;
>   - ntfs_listxattr(): if (ea_info_qsize < sizeof(struct ea_attr)) {
> err = -EIO; goto out; }
>
>  On the first iteration offset == 0, so the new check evaluates the
> same condition and
> returns the same value — the pre-loop guard is now redundant. The OOB
> read fix itself looks
> good to me.
>

Okay, I will remove these conditions.

> Thanks.
> DaeMyung.
>
> 2026년 5월 22일 (금) 오전 9:51, Hyunchul Lee <hyc.lee@xxxxxxxxx>님이 작성:
> >
> > in ntfs_ea_lookup and ntfs_listxattr, this verifies that there is enough
> > space in the EA entry before accessing the next_entry_offset field of
> > the EA entry.
> >
> > Signed-off-by: Hyunchul Lee <hyc.lee@xxxxxxxxx>
> > ---
> >  fs/ntfs/ea.c | 8 ++++++++
> >  1 file changed, 8 insertions(+)
> >
> > diff --git a/fs/ntfs/ea.c b/fs/ntfs/ea.c
> > index c4a4a3e3e599..323caced77ea 100644
> > --- a/fs/ntfs/ea.c
> > +++ b/fs/ntfs/ea.c
> > @@ -58,6 +58,9 @@ static int ntfs_ea_lookup(char *ea_buf, s64 ea_buf_size, const char *name,
> >
> >         offset = 0;
> >         do {
> > +               if (ea_buf_size - offset < sizeof(struct ea_attr))
> > +                       break;
> > +
> >                 p_ea = (const struct ea_attr *)&ea_buf[offset];
> >                 next = le32_to_cpu(p_ea->next_entry_offset);
> >                 p_ea_size = next ? next : (ea_buf_size - offset);
> > @@ -486,6 +489,11 @@ ssize_t ntfs_listxattr(struct dentry *dentry, char *buffer, size_t size)
> >
> >         offset = 0;
> >         do {
> > +               if (ea_info_qsize - offset < sizeof(struct ea_attr)) {
> > +                       err = -EIO;
> > +                       goto out;
> > +               }
> > +
> >                 p_ea = (const struct ea_attr *)&ea_buf[offset];
> >                 next = le32_to_cpu(p_ea->next_entry_offset);
> >                 ea_size = next ? next : (ea_info_qsize - offset);
> >
> > --
> > 2.43.0
> >
> >



-- 
Thanks,
Hyunchul