[PATCH] fs/ntfs3: fix info-leak on partial LZNT decompress in ni_read_frame()
From: Samuel Page
Date: Tue Jun 23 2026 - 15:02:04 EST
ni_read_frame() decompresses an LZNT $DATA frame into the vmapped target
pages and then trusts decompress_lznt()'s return value:
unc_size = decompress_lznt(frame_ondisk, ondisk_size, frame_mem,
frame_size);
if ((ssize_t)unc_size < 0) err = unc_size;
else if (!unc_size || unc_size > frame_size) err = -EINVAL;
decompress_lznt() stops as soon as the compressed stream is exhausted
(e.g. a zero chunk header) and returns the number of bytes it actually
wrote, which may be far less than frame_size. The bytes between unc_size
and frame_size are never written. The only memset() that follows zeroes
the region beyond i_valid; when the frame lies entirely within the file's
valid size that memset() does not run, so the gap retains whatever was in
the just-vmapped pages. All pages are then marked uptodate and returned
to userspace, disclosing uninitialized (recently-freed) kernel page
memory. A crafted compressed file whose stream decompresses to only a few
bytes leaks the remainder of every frame on a plain read(2), which is
enough to recover kernel pointers and defeat KASLR.
Zero the [unc_size, frame_size) tail immediately after a successful LZNT
decompress so the remainder reads back as zero.
Fixes: 4342306f0f0d ("fs/ntfs3: Add file operations and implementation")
Cc: stable@xxxxxxxxxxxxxxx
Assisted-by: Bynario AI
Signed-off-by: Samuel Page <sam@xxxxxxxx>
---
Reproduced on a non-KASAN, KASLR-enabled arm64 guest: a crafted file whose
64 KiB LZNT frames each decompress to 8 bytes leaks the [8, 65536) tail of
every frame on a plain read(2) - up to ~3.3 MiB of uninitialized page memory,
including kernel-text return addresses from freed VMAP_STACK pages, from
which the KASLR base was recovered and verified vs /proc/kallsyms. With the
patch the same read returns zeroes; a zeroed control image (valid_size
truncated so the existing memset runs) leaks nothing, isolating the cause.
fs/ntfs3/frecord.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
index 7b035da63c12..cd11df75bdbc 100644
--- a/fs/ntfs3/frecord.c
+++ b/fs/ntfs3/frecord.c
@@ -2443,6 +2443,15 @@ int ni_read_frame(struct ntfs_inode *ni, u64 frame_vbo, struct page **pages,
err = unc_size;
else if (!unc_size || unc_size > frame_size)
err = -EINVAL;
+ else if (unc_size < frame_size) {
+ /*
+ * Partial decompress: zero the [unc_size, frame_size)
+ * tail. decompress_lznt() leaves it untouched, so
+ * without this the freshly vmapped pages would expose
+ * uninitialized kernel memory to userspace.
+ */
+ memset(frame_mem + unc_size, 0, frame_size - unc_size);
+ }
}
if (!err && valid_size < frame_vbo + frame_size) {
size_t ok = valid_size - frame_vbo;
--
2.54.0