[lvc-project] [PATCH] ntfs3: fix info-leak in ntfs_rename()

Dmitry Antipov dmantipov at yandex.ru
Wed Jun 10 14:12:59 MSK 2026 

On Wed, 2026-06-10 at 00:08 +0100, Al Viro wrote:

> From the syzkaller spew it would appear that data (filename converted
> to unicode, AFAICS) somehow gets returned by read(2).  If that is
> accurate, I would suggest that the things are already FUBAR and zeroing
> is not going to fix whatever underlying bug you've got there (metadata
> bh left around after the corresponding on-disk block got freed and
> reused for regular file, perhaps?)

Hard to say about copy_to_user_iter(), but at least the first splat
looks correct. At the end of fill_name_de(), data layout is:

struct NTFS_DE *e = buf;
...

    |<- data_size + sizeof(struct NTFS_DE) ->|<- XXX ->|
buf |-----------------------------------------------------------
    |<- ALIGN(data_size, 8) + sizeof(struct NTFS_DE) ->|   ;; e->size

If 'buf' was allocated with kmalloc(), XXX remains uninitialized and
passed as such to memcpy() called from hdr_insert_de().

So using kzalloc() for all buffers passed to fill_name_de() looks
the simplest and most safe solution. OTOH if someone would have
said that an overhead of PAGE_SIZE'd memset() is too large, more
fine-granted solution is to memset() XXX only, i.e.:

diff --git a/fs/ntfs3/namei.c b/fs/ntfs3/namei.c
index b2af8f695e60..21e4a2a34389 100644
--- a/fs/ntfs3/namei.c
+++ b/fs/ntfs3/namei.c
@@ -22,7 +22,7 @@ int fill_name_de(struct ntfs_sb_info *sbi, void *buf, const struct qstr *name,
 {
        int err;
        struct NTFS_DE *e = buf;
-       u16 data_size;
+       u16 data_size, real_size, aligned_size;
        struct ATTR_FILE_NAME *fname = (struct ATTR_FILE_NAME *)(e + 1);
 
 #ifndef CONFIG_NTFS3_64BIT_CLUSTER
@@ -53,7 +53,12 @@ int fill_name_de(struct ntfs_sb_info *sbi, void *buf, const struct qstr *name,
        fname->type = FILE_NAME_POSIX;
        data_size = fname_full_size(fname);
 
-       e->size = cpu_to_le16(ALIGN(data_size, 8) + sizeof(struct NTFS_DE));
+       real_size = data_size + sizeof(struct NTFS_DE);
+       aligned_size = ALIGN(data_size, 8) + sizeof(struct NTFS_DE);
+       if (aligned_size > real_size)
+               memset((char *)buf + real_size, 0, aligned_size - real_size);
+
+       e->size = cpu_to_le16(aligned_size);
        e->key_size = cpu_to_le16(data_size);
        e->flags = 0;
        e->res = 0;

Dmitry

More information about the lvc-project mailing list