Re: [PATCH v5 4/4] ntfs: validate index root allocated_size on lookup

[CharSyam]

Hi, Hyunchul.

The current patch series was prepared on top of ntfs-next,
assuming that V4 0001–0004 had already been merged.
I'll resend the entire series as V6, including those patches,
to make the dependency explicit.

Thanks.
DaeMyung

2026년 6월 8일 (월) 오후 2:08, Hyunchul Lee <hyc.lee@xxxxxxxxx>님이 작성:
>
> Hi Daemyung,
>
> 2026년 6월 7일 (일) 오후 2:17, DaeMyung Kang <charsyam@xxxxxxxxx>님이 작성:
> >
> > The resident $INDEX_ROOT validator already checks the index root header
> > fields, but it still does not bound index_length through allocated_size or
> > ensure allocated_size stays within the resident index area.
> >
> > Callers consume index.allocated_size as the resident root capacity.
> > ntfs_ie_add() uses it to decide whether an insertion can be done in place,
> > and ntfs_ie_insert() then updates the root without re-checking the resident
> > value boundary.
> >
> > Read allocated_size in the resident $INDEX_ROOT validator, require it to be
> > 8-byte aligned, require index_length <= allocated_size, and require
> > allocated_size <= the resident index area. Valid slack remains allowed.
> >
> > Signed-off-by: DaeMyung Kang <charsyam@xxxxxxxxx>
> > ---
> >  fs/ntfs/attrib.c | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c
> > index cf49eade6b22..49c8f1f3b9dd 100644
> > --- a/fs/ntfs/attrib.c
> > +++ b/fs/ntfs/attrib.c
> > @@ -657,15 +657,19 @@ static bool ntfs_index_root_attr_value_is_valid(const u8 *value, const u32 value
>
> Applying this patch failed.
> It seems that the patch below has not been merged yet.
> https://lore.kernel.org/all/20260530143514.3083601-7-charsyam@xxxxxxxxx/
>
> >         u32 index_size;
> >         u32 entries_offset;
> >         u32 index_length;
> > +       u32 allocated_size;
> >
> >         ir = (const struct index_root *)value;
> >         index_size = value_length - offsetof(struct index_root, index);
> >         entries_offset = le32_to_cpu(ir->index.entries_offset);
> >         index_length = le32_to_cpu(ir->index.index_length);
> > +       allocated_size = le32_to_cpu(ir->index.allocated_size);
> >
> > -       if ((entries_offset | index_length) & 7 ||
> > +       if ((entries_offset | index_length | allocated_size) & 7 ||
> >             entries_offset < sizeof(struct index_header) ||
> >             entries_offset > index_length ||
> > +           index_length > allocated_size ||
> > +           allocated_size > index_size ||
> >             index_length - entries_offset < sizeof(struct index_entry_header))
> >                 return false;
> >
> > --
> > 2.43.0
>
>
>
> --
> Thanks,
> Hyunchul