CVE-2022-49763 Information

May 02, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

ntfs: fix use-after-free in ntfs_attr_find()

Patch series tfs: fix bugs about Attribute\ v2.

This patchset fixes three bugs relative to Attribute in record:

Patch 1 adds a sanity check to ensure that attrs_offset field in first mft record loading from disk is within bounds.

Patch 2 moves the ATTR_RECORD’s bounds checking earlier to avoid dereferencing ATTR_RECORD before checking this ATTR_RECORD is within bounds.

Patch 3 adds an overflow checking to avoid possible forever loop in ntfs_attr_find().

Without patch 1 and patch 2 the kernel triggersa KASAN use-after-free detection as reported by Syzkaller.

Although one of patch 1 or patch 2 can fix this we still need both of them. Because patch 1 fixes the root cause and patch 2 not only fixes the direct cause but also fixes the potential out-of-bounds bug.

This patch (of 3):

Syzkaller reported use-after-free read as follows:

BUG: KASAN: use-after-free in ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597 Read of size 2 at addr ffff88807e352009 by task syz-executor153/3607

[…] Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597 ntfs_attr_lookup+0x1056/0x2070 fs/ntfs/attrib.c:1193 ntfs_read_inode_mount+0x89a/0x2580 fs/ntfs/inode.c:1845 ntfs_fill_super+0x1799/0x9320 fs/ntfs/super.c:2854 mount_bdev+0x34d/0x410 fs/super.c:1400 legacy_get_tree+0x105/0x220 fs/fs_context.c:610 vfs_get_tree+0x89/0x2f0 fs/super.c:1530 do_new_mount fs/namespace.c:3040 [inline] path_mount+0x1326/0x1e20 fs/namespace.c:3370 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd […]

The buggy address belongs to the physical page: page:ffffea0001f8d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e350 head:ffffea0001f8d400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011842140 raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88807e351f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88807e351f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

ffff88807e352000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807e352080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807e352100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================

Kernel will loads $MFT/$DATA’s first mft record in ntfs_read_inode_mount().

Yet the problem is that after loading kernel doesn’t check whether attrs_offset field is a valid value.

To be more specific if attrs_offset field is larger than bytes_allocated field then it may trigger the out-of-bounds read bug(reported as use-after-free bug) in ntfs_attr_find() when kernel tries to access the corresponding mft record’s attribute.

This patch solves it by adding the sanity check between attrs_offset field and bytes_allocated field after loading the first mft record.

Reference

Share on: