Re: [PATCH v2] ntfs: fix VCN overflow in ntfs_mapping_pairs_decompress()

[Hyunchul Lee]

2026년 4월 22일 (수) 오후 6:47, Zhan Xusheng <zhanxusheng1024@xxxxxxxxx>님이 작성:
>
> In ntfs_mapping_pairs_decompress(), lowest_vcn is read from
> on-disk metadata and used as the initial vcn without validation.
> A malformed value can introduce an invalid (e.g. negative) vcn,
> corrupting the runlist from the start.
>
> Additionally, the accumulation
>     vcn += deltaxcn
>
> does not check for s64 overflow. A crafted mapping pairs array
> can wrap vcn to a negative value, breaking the monotonically-
> increasing invariant relied upon by ntfs_rl_vcn_to_lcn() and
> related helpers.
>
> Fix this by validating lowest_vcn and using check_add_overflow()
> for vcn accumulation.
>
> Signed-off-by: Zhan Xusheng <zhanxusheng@xxxxxxxxxx>
> ---
> v2:
>  - Validate lowest_vcn from on-disk metadata
>  - Use check_add_overflow() for vcn accumulation
> ---
>  fs/ntfs/runlist.c | 19 +++++++++++++++++--
>  1 file changed, 17 insertions(+), 2 deletions(-)
>
> diff --git a/fs/ntfs/runlist.c b/fs/ntfs/runlist.c
> index b213b4976d2b..ee68258ebffb 100644
> --- a/fs/ntfs/runlist.c
> +++ b/fs/ntfs/runlist.c
> @@ -749,6 +749,12 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
>  #endif
>         /* Start at vcn = lowest_vcn and lcn 0. */
>         vcn = le64_to_cpu(attr->data.non_resident.lowest_vcn);
> +       /* Validate lowest_vcn from on-disk metadata to ensure it is sane. */
> +       if (unlikely(vcn < 0)) {
> +               ntfs_error(vol->sb, "Invalid lowest_vcn in mapping pairs.");
> +               goto err_out;
> +       }

How about using overflows_type() ?
And please include <linux/overflow.h>.

> +
>         lcn = 0;
>         /* Get start of the mapping pairs array. */
>         buf = (u8 *)attr +
> @@ -823,8 +829,17 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
>                  * element.
>                  */
>                 rl[rlpos].length = deltaxcn;
> -               /* Increment the current vcn by the current run length. */
> -               vcn += deltaxcn;
> +               /*
> +                * Increment the current vcn by the current run length.
> +                * Guard against s64 overflow from a crafted mapping
> +                * pairs array to preserve the monotonically-increasing
> +                * vcn invariant.
> +                */
> +               if (unlikely(check_add_overflow(vcn, deltaxcn, &vcn))) {
> +                       ntfs_error(vol->sb, "VCN overflow in mapping pairs array.");
> +                       goto err_out;
> +               }
> +
>                 /*
>                  * There might be no lcn change at all, as is the case for
>                  * sparse clusters on NTFS 3.0+, in which case we set the lcn
> --
> 2.43.0
>


-- 
Thanks,
Hyunchul