Re: [PATCH v6 4/4] ntfs: validate resident index root values on lookup

[Hyunchul Lee]

2026년 6월 9일 (화) 오전 12:49, DaeMyung Kang <charsyam@xxxxxxxxx>님이 작성:
>
> Resident $INDEX_ROOT values carry index header fields that callers
> consume after lookup. Some callers already validate parts of the layout
> before walking entries, but those checks are scattered and do not cover
> all root header invariants, such as entries_offset alignment and lower
> bound, index_length, and allocated_size consistency.
>
> The resident root resize paths now keep these header fields consistent
> while the value size changes: ntfs_ir_truncate() lowers
> index.allocated_size before shrinking the resident value, and
> ntfs_ir_reparent() grows the resident value before publishing a larger
> root header. Lookup-time validation can therefore cover these invariants
> without tripping over the driver's own resize paths.
>
> Add $INDEX_ROOT to the minimum resident value size table and validate the
> resident index header fields before returning the attribute from lookup.
> Require 8-byte aligned index header fields, a sane entries_offset, an
> index_length within allocated_size, allocated_size within the resident
> value, and enough entry space for at least an index entry header.
>
> The shared validator already rejects non-resident records for
> resident-only attribute types, including $INDEX_ROOT.
>
> Signed-off-by: DaeMyung Kang <charsyam@xxxxxxxxx>

Looks good to me.

Reviewed-by: Hyunchul Lee <hyc.lee@xxxxxxxxx>

> ---
>  fs/ntfs/attrib.c | 31 +++++++++++++++++++++++++++++++
>  1 file changed, 31 insertions(+)
>
> diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c
> index 1254fbe7666e..8f10688a17df 100644
> --- a/fs/ntfs/attrib.c
> +++ b/fs/ntfs/attrib.c
> @@ -589,6 +589,8 @@ static u32 ntfs_resident_attr_min_value_length(const __le32 type)
>                         sizeof(__le16) * 1;
>         case AT_VOLUME_INFORMATION:
>                 return sizeof(struct volume_information);
> +       case AT_INDEX_ROOT:
> +               return sizeof(struct index_root);
>         case AT_EA_INFORMATION:
>                 return sizeof(struct ea_information);
>         default:
> @@ -632,6 +634,31 @@ static bool ntfs_volume_name_attr_value_is_valid(const u32 value_length)
>         return value_length <= NTFS_MAX_LABEL_LEN * sizeof(__le16);
>  }
>
> +static bool ntfs_index_root_attr_value_is_valid(const u8 *value, const u32 value_length)
> +{
> +       const struct index_root *ir;
> +       u32 index_size;
> +       u32 entries_offset;
> +       u32 index_length;
> +       u32 allocated_size;
> +
> +       ir = (const struct index_root *)value;
> +       index_size = value_length - offsetof(struct index_root, index);
> +       entries_offset = le32_to_cpu(ir->index.entries_offset);
> +       index_length = le32_to_cpu(ir->index.index_length);
> +       allocated_size = le32_to_cpu(ir->index.allocated_size);
> +
> +       if ((entries_offset | index_length | allocated_size) & 7 ||
> +           entries_offset < sizeof(struct index_header) ||
> +           entries_offset > index_length ||
> +           index_length > allocated_size ||
> +           allocated_size > index_size ||
> +           index_length - entries_offset < sizeof(struct index_entry_header))
> +               return false;
> +
> +       return true;
> +}
> +
>  struct ntfs_resident_attr_value {
>         const u8 *data;
>         u32 len;
> @@ -705,6 +732,10 @@ static bool ntfs_attr_value_is_valid(struct ntfs_volume *vol,
>                 if (!ntfs_volume_name_attr_value_is_valid(value.len))
>                         goto corrupt;
>                 break;
> +       case AT_INDEX_ROOT:
> +               if (!ntfs_index_root_attr_value_is_valid(value.data, value.len))
> +                       goto corrupt;
> +               break;
>         }
>         return true;
>
> --
> 2.43.0
>


-- 
Thanks,
Hyunchul