Unverified Commit 984a415f authored Mar 29, 2026 by Tobias Gaertner Committed by Konstantin Komarov Apr 07, 2026

ntfs3: fix integer overflow in run_unpack() volume boundary check

The volume boundary check `lcn + len > sbi->used.bitmap.nbits` uses raw
addition which can wrap around for large lcn and len values, bypassing
the validation. Use check_add_overflow() as is already done for the
adjacent prev_lcn + dlcn and vcn64 + len checks added by commit
3ac37e100385 ("ntfs3: Fix integer overflow in run_unpack()").

Found by fuzzing with a source-patched harness (LibAFL + QEMU).

Fixes: 82cae269 ("fs/ntfs3: Add initialization of super block")
Cc: stable@vger.kernel.org
Signed-off-by: Tobias Gaertner <tob.gaertner@me.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>

parent b62567bc

fs/ntfs3/run.c

+9 −3

Original line number	Diff line number	Diff line
		@@ -1065,10 +1065,16 @@ int run_unpack(struct runs_tree run, struct ntfs_sb_info sbi, CLST ino,
		return -EOPNOTSUPP;
		}
		#endif
		if (lcn != SPARSE_LCN64 && lcn + len > sbi->used.bitmap.nbits) {
		if (lcn != SPARSE_LCN64) {
		u64 lcn_end;

		if (check_add_overflow(lcn, len, &lcn_end))
		return -EINVAL;
		if (lcn_end > sbi->used.bitmap.nbits) {
		/* LCN range is out of volume. */
		return -EINVAL;
		}
		}

		if (!run)
		; /* Called from check_attr(fslog.c) to check run. */