Acknowledged
Created: Oct 29, 2025
Updated: Oct 30, 2025
Found In Version: 10.23.30.1
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]fs: ntfs3: Fix integer overflow in run_unpack()[EOL][EOL]The MFT record relative to the file being opened contains its runlist,[EOL]an array containing information about the file's location on the physical[EOL]disk. Analysis of all Call Stack paths showed that the values of the[EOL]runlist array, from which LCNs are calculated, are not validated before[EOL]run_unpack function.[EOL][EOL]The run_unpack function decodes the compressed runlist data format[EOL]from MFT attributes (for example, $DATA), converting them into a runs_tree[EOL]structure, which describes the mapping of virtual clusters (VCN) to[EOL]logical clusters (LCN). The NTFS3 subsystem also has a shortcut for[EOL]deleting files from MFT records - in this case, the RUN_DEALLOCATE[EOL]command is sent to the run_unpack input, and the function logic[EOL]provides that all data transferred to the runlist about file or[EOL]directory is deleted without creating a runs_tree structure.[EOL][EOL]Substituting the runlist in the $DATA attribute of the MFT record for an[EOL]arbitrary file can lead either to access to arbitrary data on the disk[EOL]bypassing access checks to them (since the inode access check[EOL]occurs above) or to destruction of arbitrary data on the disk.[EOL][EOL]Add overflow check for addition operation.[EOL][EOL]Found by Linux Verification Center (linuxtesting.org) with SVACE.
