CVE-2025-71265

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata<br /> <br /> We found an infinite loop bug in the ntfs3 file system that can lead to a<br /> Denial-of-Service (DoS) condition.<br /> <br /> A malformed NTFS image can cause an infinite loop when an attribute header<br /> indicates an empty run list, while directory entries reference it as<br /> containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way<br /> to represent an empty run list, and run_unpack() correctly handles this by<br /> checking if evcn + 1 equals svcn and returning early without parsing any run<br /> data. However, this creates a problem when there is metadata inconsistency,<br /> where the attribute header claims to be empty (evcn=-1) but the caller<br /> expects to read actual data. When run_unpack() immediately returns success<br /> upon seeing this condition, it leaves the runs_tree uninitialized with<br /> run-&gt;runs as a NULL. The calling function attr_load_runs_range() assumes<br /> that a successful return means that the runs were loaded and sets clen to 0,<br /> expecting the next run_lookup_entry() call to succeed. Because runs_tree<br /> remains uninitialized, run_lookup_entry() continues to fail, and the loop<br /> increments vcn by zero (vcn += 0), leading to an infinite loop.<br /> <br /> This patch adds a retry counter to detect when run_lookup_entry() fails<br /> consecutively after attr_load_runs_vcn(). If the run is still not found on<br /> the second attempt, it indicates corrupted metadata and returns -EINVAL,<br /> preventing the Denial-of-Service (DoS) vulnerability.