[PATCH] Fix OOB write if err =3D=3D buflen in ntfs_readlink_hlp()
From: Alexandro Calo
Date: Wed Jul 08 2026 - 06:04:37 EST
ntfs_utf16_to_nls() may return buflen. The caller later uses the returned
length as the index for writing the trailing NUL byte,
so err =3D=3D buflen writes one byte past the end of buffer.
Fix this by limiting err to the last valid buffer index before writing
NUL.
ntfs_utf16_to_nls() returning a negative value is already handled by
if (err < 0) goto out;
As long as buflen is guaranteed to be nonzero the patch is fine.
As a defensive fix if(buflen=3D=3D0) could be added.
This heap out-of-bounds write requires a crafted filesystem image,
which is not in the kernel threat model, but fixing memory errors would
be nice to keep things secure.
Signed-off-by: Alexandro Calo <alexandro.calo@xxxxxxxxxxxxxxxxxx>
---
fs/ntfs3/inode.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
index 0c9bd669117d..d4803e1625fe 100644
--- a/fs/ntfs3/inode.c
+++ b/fs/ntfs3/inode.c
@@ -2029,6 +2029,9 @@ static noinline int ntfs_readlink_hlp(const struct de=
ntry *link_de,
if (err < 0)
goto out;
=20
+ if (err >=3D buflen)
+ err =3D buflen - 1;
+
/* Translate Windows '\' into Linux '/'. */
for (i =3D 0; i < err; i++) {
if (buffer[i] =3D=3D '\\')
base-commit: 0e35b9b6ec0ffcc5e23cbdec09f5c622ad532b53
--=20
2.47.3