| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20260210155634.380168-1-n7l8m4@u.northwestern.edu>
Date: Tue, 10 Feb 2026 15:56:34 +0000
From: Ziyi Guo <n7l8m4@...orthwestern.edu>
To: Konstantin Komarov <almaz.alexandrovich@...agon-software.com>
Cc: ntfs3@...ts.linux.dev,
linux-kernel@...r.kernel.org,
Ziyi Guo <n7l8m4@...orthwestern.edu>
Subject: [PATCH] ntfs3: reject inodes with zero non-DOS link count
ntfs_read_mft() counts file name attributes into two variables:
names (all names including DOS 8.3) and links (non-DOS names
only). The validation at line 424 checks names but set_nlink()
at line 436 uses links. A corrupted NTFS image where all file
name attributes have type FILE_NAME_DOS passes the names check
but results in set_nlink(inode, 0).
When such an inode is loaded via a code path that passes name=NULL
to ntfs_iget5() and the nlink=0 inode enters the VFS. The subsequent
unlink, rmdir, or rename targeting this inode calls drop_nlink()
which triggers WARN_ON(inode->i_nlink == 0) in fs/inode.c.
An all-DOS-name MFT record cannot exist on a valid NTFS volume.
Reject such records by checking for links == 0 before
calling set_nlink().
Signed-off-by: Ziyi Guo <n7l8m4@...orthwestern.edu>
---
fs/ntfs3/inode.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
index 0a9ac5efeb67..a2984a4996c8 100644
--- a/fs/ntfs3/inode.c
+++ b/fs/ntfs3/inode.c
@@ -433,6 +433,11 @@ static struct inode *ntfs_read_mft(struct inode *inode,
ni->mi.dirty = true;
}
+ if (!links) {
+ err = -EINVAL;
+ goto out;
+ }
+
set_nlink(inode, links);
if (S_ISDIR(mode)) {
--
2.34.1
Powered by blists - more mailing lists