CVE-2025-71067

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ntfs: set dummy blocksize to read boot_block when mounting<br /> <br /> When mounting, sb-&gt;s_blocksize is used to read the boot_block without<br /> being defined or validated. Set a dummy blocksize before attempting to<br /> read the boot_block.<br /> <br /> The issue can be triggered with the following syz reproducer:<br /> <br /> mkdirat(0xffffffffffffff9c, &amp;(0x7f0000000080)=&amp;#39;./file1\x00&amp;#39;, 0x0)<br /> r4 = openat$nullb(0xffffffffffffff9c, &amp;(0x7f0000000040), 0x121403, 0x0)<br /> ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &amp;(0x7f0000000980)=0x4000)<br /> mount(&amp;(0x7f0000000140)=@nullb, &amp;(0x7f0000000040)=&amp;#39;./cgroup\x00&amp;#39;,<br /> &amp;(0x7f0000000000)=&amp;#39;ntfs3\x00&amp;#39;, 0x2208004, 0x0)<br /> syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0)<br /> <br /> Here, the ioctl sets the bdev block size to 16384. During mount,<br /> get_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)),<br /> but since block_size(bdev) &gt; PAGE_SIZE, sb_set_blocksize() leaves<br /> sb-&gt;s_blocksize at zero.<br /> <br /> Later, ntfs_init_from_boot() attempts to read the boot_block while<br /> sb-&gt;s_blocksize is still zero, which triggers the bug.<br /> <br /> [almaz.alexandrovich@paragon-software.com: changed comment style, added<br /> return value handling]