[PATCH ntfs3] fs/ntfs3: validate $SDH entry size in ntfs_insert_security
From: Xiang Mei
Date: Fri Jul 03 2026 - 17:54:48 EST
ntfs_insert_security() walks the $Secure::$SDH index and reads
e->sec_hdr.size for every entry returned by indx_find()/indx_find_sort().
Those only guarantee the NTFS_DE envelope (e->size), so a crafted $SDH
entry shorter than a full NTFS_DE_SDH at the tail of an index buffer makes
the read of e->sec_hdr.size run past the allocation. Triggerable by an
unprivileged setxattr(2) on a crafted NTFS image.
BUG: KASAN: slab-out-of-bounds in ntfs_insert_security (fs/ntfs3/fsntfs.c:2148)
Read of size 4 at addr ffff88800fa1de00 by task exploit/142
ntfs_insert_security (fs/ntfs3/fsntfs.c:2148)
ntfs_setxattr (fs/ntfs3/xattr.c:947)
__vfs_setxattr (fs/xattr.c:223)
__vfs_setxattr_noperm (fs/xattr.c:257)
vfs_setxattr (fs/xattr.c:344)
filename_setxattr (fs/xattr.c:690)
path_setxattrat (fs/xattr.c:734)
__x64_sys_setxattr (fs/xattr.c:764)
[...]
The buggy address is located 0 bytes to the right of
allocated 512-byte region [ffff88800fa1dc00, ffff88800fa1de00)
Stop the scan when an entry is too small to hold a SECURITY_HDR.
Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
Reported-by: Weiming Shi <bestswngs@xxxxxxxxx>
Signed-off-by: Xiang Mei <xmei5@xxxxxxx>
---
fs/ntfs3/fsntfs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c
index bc7469d0a34d..6d81ae6c1f11 100644
--- a/fs/ntfs3/fsntfs.c
+++ b/fs/ntfs3/fsntfs.c
@@ -2145,6 +2145,9 @@ int ntfs_insert_security(struct ntfs_sb_info *sbi,
goto out;
while (e) {
+ if (le16_to_cpu(e->de.size) < SIZEOF_SDH_DIRENTRY)
+ break;
+
if (le32_to_cpu(e->sec_hdr.size) == new_sec_size) {
err = ntfs_read_run_nb(sbi, &ni->file.run,
le64_to_cpu(e->sec_hdr.off),
--
2.43.0