Re: [PATCH v4 3/3] ntfs: bound the attribute-list entry in ntfs_read_inode_mount()

Next message: Thorsten Blum: "[PATCH RESEND] media: imagination: fix value clamping in calculate_qp_tables"
Previous message: David Bauer: "[PATCH mt76] wifi: mt76: mt7603: free beacon SKB on error"
In reply to: XIAO WU: "Re: [PATCH v4 3/3] ntfs: bound the attribute-list entry in ntfs_read_inode_mount()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Namjae Jeon

Date: Thu Jun 11 2026 - 18:05:29 EST

On Fri, Jun 12, 2026 at 1:07 AM XIAO WU <xiaowu.417@xxxxxx> wrote:
Hi Xiao,

> ## Suggestion
>
> This is a pre-existing issue, but since the patch touches the same
> allocation site, fixing it here would prevent an attacker from bypassing
> the new validation by triggering the overflow before any entry is
> validated. Two possible fixes:
>
> 1. Use 64-bit arithmetic for the round_up:
>
> ni->attr_list = kvzalloc(round_up((u64)ni->attr_list_size,
> SECTOR_SIZE),
> GFP_NOFS);
>
> 2. Or check for overflow explicitly:
>
> if (ni->attr_list_size > U32_MAX - SECTOR_SIZE + 1) {
> err = -EINVAL;
> goto put_err_out;
> }
> ni->attr_list = kvzalloc(round_up(ni->attr_list_size, SECTOR_SIZE),
> GFP_NOFS);
>
> Either approach prevents the overflow without changing the validation
> improvements from this patch.
Could you make your second suggested fix into a patch and send it to
me for your credit?
Thanks for the report.