CVE-2022-49763

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ntfs: fix use-after-free in ntfs_attr_find()<br /> <br /> Patch series "ntfs: fix bugs about Attribute", v2.<br /> <br /> This patchset fixes three bugs relative to Attribute in record:<br /> <br /> Patch 1 adds a sanity check to ensure that, attrs_offset field in first<br /> mft record loading from disk is within bounds.<br /> <br /> Patch 2 moves the ATTR_RECORD&amp;#39;s bounds checking earlier, to avoid<br /> dereferencing ATTR_RECORD before checking this ATTR_RECORD is within<br /> bounds.<br /> <br /> Patch 3 adds an overflow checking to avoid possible forever loop in<br /> ntfs_attr_find().<br /> <br /> Without patch 1 and patch 2, the kernel triggersa KASAN use-after-free<br /> detection as reported by Syzkaller.<br /> <br /> Although one of patch 1 or patch 2 can fix this, we still need both of<br /> them. Because patch 1 fixes the root cause, and patch 2 not only fixes<br /> the direct cause, but also fixes the potential out-of-bounds bug.<br /> <br /> <br /> This patch (of 3):<br /> <br /> Syzkaller reported use-after-free read as follows:<br /> ==================================================================<br /> BUG: KASAN: use-after-free in ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597<br /> Read of size 2 at addr ffff88807e352009 by task syz-executor153/3607<br /> <br /> [...]<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:317 [inline]<br /> print_report.cold+0x2ba/0x719 mm/kasan/report.c:433<br /> kasan_report+0xb1/0x1e0 mm/kasan/report.c:495<br /> ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597<br /> ntfs_attr_lookup+0x1056/0x2070 fs/ntfs/attrib.c:1193<br /> ntfs_read_inode_mount+0x89a/0x2580 fs/ntfs/inode.c:1845<br /> ntfs_fill_super+0x1799/0x9320 fs/ntfs/super.c:2854<br /> mount_bdev+0x34d/0x410 fs/super.c:1400<br /> legacy_get_tree+0x105/0x220 fs/fs_context.c:610<br /> vfs_get_tree+0x89/0x2f0 fs/super.c:1530<br /> do_new_mount fs/namespace.c:3040 [inline]<br /> path_mount+0x1326/0x1e20 fs/namespace.c:3370<br /> do_mount fs/namespace.c:3383 [inline]<br /> __do_sys_mount fs/namespace.c:3591 [inline]<br /> __se_sys_mount fs/namespace.c:3568 [inline]<br /> __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> [...]<br /> <br /> <br /> The buggy address belongs to the physical page:<br /> page:ffffea0001f8d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e350<br /> head:ffffea0001f8d400 order:3 compound_mapcount:0 compound_pincount:0<br /> flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)<br /> raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011842140<br /> raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> Memory state around the buggy address:<br /> ffff88807e351f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> ffff88807e351f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> &gt;ffff88807e352000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ^<br /> ffff88807e352080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff88807e352100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ==================================================================<br /> <br /> Kernel will loads $MFT/$DATA&amp;#39;s first mft record in<br /> ntfs_read_inode_mount().<br /> <br /> Yet the problem is that after loading, kernel doesn&amp;#39;t check whether<br /> attrs_offset field is a valid value.<br /> <br /> To be more specific, if attrs_offset field is larger than bytes_allocated<br /> field, then it may trigger the out-of-bounds read bug(reported as<br /> use-after-free bug) in ntfs_attr_find(), when kernel tries to access the<br /> corresponding mft record&amp;#39;s attribute.<br /> <br /> This patch solves it by adding the sanity check between attrs_offset field<br /> and bytes_allocated field, after loading the first mft record.