CVE-2025-40068

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: ntfs3: Fix integer overflow in run_unpack()<br /> <br /> The MFT record relative to the file being opened contains its runlist,<br /> an array containing information about the file&amp;#39;s location on the physical<br /> disk. Analysis of all Call Stack paths showed that the values of the<br /> runlist array, from which LCNs are calculated, are not validated before<br /> run_unpack function.<br /> <br /> The run_unpack function decodes the compressed runlist data format<br /> from MFT attributes (for example, $DATA), converting them into a runs_tree<br /> structure, which describes the mapping of virtual clusters (VCN) to<br /> logical clusters (LCN). The NTFS3 subsystem also has a shortcut for<br /> deleting files from MFT records - in this case, the RUN_DEALLOCATE<br /> command is sent to the run_unpack input, and the function logic<br /> provides that all data transferred to the runlist about file or<br /> directory is deleted without creating a runs_tree structure.<br /> <br /> Substituting the runlist in the $DATA attribute of the MFT record for an<br /> arbitrary file can lead either to access to arbitrary data on the disk<br /> bypassing access checks to them (since the inode access check<br /> occurs above) or to destruction of arbitrary data on the disk.<br /> <br /> Add overflow check for addition operation.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.