diff options
| author |   DaeMyung Kang <charsyam@gmail.com> | 2026-05-09 15:12:35 +0900 |
|---|---|---|
| committer |   Namjae Jeon <linkinjeon@kernel.org> | 2026-05-10 00:42:17 +0900 |
| commit | 6098790c403d5e95a35bb6bf938591ca8c8e224f (patch) | |
| tree | 7621dda6138e6c183a57d5faa37df3a37da5c45c /tools/testing/selftests/dm-verity/git:/ssh:/git@git.zx2c4.com | |
| parent | ntfs: fix missing kstrdup() error check in ntfs_write_volume_label() (diff) | |
ntfs: validate MFT attrs_offset against bytes_in_use
ntfs_mft_record_check() verifies that attrs_offset is aligned and that
the resulting pointer stays within the allocated MFT record buffer, but
it does not check that the first attribute header starts within the
bytes_in_use area.
A malformed record with attrs_offset greater than bytes_in_use can pass
this check as long as attrs_offset is still within bytes_allocated. The
attribute parser then computes the remaining record space by subtracting
the attribute pointer from bytes_in_use. Because that value is unsigned,
the subtraction can underflow and allow bytes after bytes_in_use to be
interpreted as an attribute.
Reject records where attrs_offset is outside bytes_in_use or where the
used area does not even contain the four-byte attribute type/AT_END
terminator at attrs_offset.
A small userspace model with attrs_offset=128 and bytes_in_use=64 shows
the current check accepts the record and the parser space calculation
underflows to 0xffffffc0. With this change the same malformed record is
rejected before the attribute walker is entered.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Diffstat (limited to 'tools/testing/selftests/dm-verity/git:/ssh:/git@git.zx2c4.com')
0 files changed, 0 insertions, 0 deletions