Re: [PATCH 0/2] ntfs3: fix OOB read and integer overflow in run_unpack()
From: Tobias Gaertner
Date: Wed Apr 15 2026 - 00:20:08 EST
Hi Konstantin,
Great news!
Will I get a CVE for that memory leak?
Can you credit the patch and CVE to “Tiefgang Security Labs”?
info@xxxxxxxxxxxxxxxxxxxxxxxx
Cheers,
Tobias
> On Apr 7, 2026, at 10:19, Konstantin Komarov <almaz.alexandrovich@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> On 3/29/26 13:17, tobgaertner wrote:
>
>> [You don't often get email from tob.gaertner@xxxxxx. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>>
>> From: Tobias Gaertner <tob.gaertner@xxxxxx>
>>
>> Two bugs in run_unpack() found by fuzzing with a source-patched harness
>> (LibAFL + QEMU ARM64 system-mode):
>>
>> Patch 1: run_unpack() checks `run_buf < run_last` at the loop top but
>> then reads size_size and offset_size bytes via run_unpack_s64() without
>> verifying they fit in the remaining buffer. A crafted NTFS image with
>> truncated run data triggers a heap OOB read of up to 15 bytes on mount.
>>
>> Patch 2: The volume boundary check `lcn + len > sbi->used.bitmap.nbits`
>> uses raw addition that can wrap for large values, bypassing the
>> validation. CVE-2025-40068 added check_add_overflow() for adjacent
>> arithmetic but missed this instance.
>>
>> Both bugs are present since NTFS3 was merged in 5.15.
>>
>> Could CVE IDs be assigned for these two issues?
>>
>> tobgaertner (2):
>> ntfs3: add buffer boundary checks to run_unpack()
>> ntfs3: fix integer overflow in run_unpack() volume boundary check
>>
>> fs/ntfs3/run.c | 18 +++++++++++++++---
>> 1 file changed, 15 insertions(+), 3 deletions(-)
>>
>> --
>> 2.43.0
>>
> Hello,
>
> Patches are queued for the next merge window, thanks.
>
> Regards,
> Konstantin
>