[PATCH] ntfs: detect mapping-pairs LCN accumulator overflow

Next message: Boqun Feng: "Re: [PATCH 2/4] rust: rcu: add RcuBox type"
Previous message: Korenberg Mark via B4 Relay: "[PATCH] bpftool: Make the LLVM disassembler an optional runtime dependency"
Next in thread: Namjae Jeon: "Re: [PATCH] ntfs: detect mapping-pairs LCN accumulator overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Samuel Moelius

Date: Wed Jun 03 2026 - 13:41:31 EST

The NTFS mapping-pairs parser accumulates relative LCN deltas in a
signed integer. A corrupted attribute can drive that addition past
the representable range.

One corrupt runlist shape sets the accumulated LCN to S64_MAX and
then adds a delta of 1 in the next mapping-pairs entry.

Signed overflow is undefined and can turn an invalid runlist into a
different set of physical clusters.

Check the LCN addition for overflow before storing the next run.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@xxxxxxxxxxxxxxx>
---
fs/ntfs/runlist.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/ntfs/runlist.c b/fs/ntfs/runlist.c
index e7de3d01257e..e9294a5f4cbf 100644
--- a/fs/ntfs/runlist.c
+++ b/fs/ntfs/runlist.c
@@ -860,7 +860,11 @@ struct runlist_element *ntfs_mapping_pairs_decompress(const struct ntfs_volume *
for (deltaxcn = (s8)buf[b--]; b > b2; b--)
deltaxcn = (deltaxcn << 8) + buf[b];
/* Change the current lcn to its new value. */
- lcn += deltaxcn;
+ if (unlikely(check_add_overflow(lcn, deltaxcn, &lcn))) {
+ ntfs_error(vol->sb,
+ "LCN overflow in mapping pairs array.");
+ goto err_out;
+ }
#ifdef DEBUG
/*
* On NTFS 1.2-, apparently can have lcn == -1 to
--
2.43.0