CVE-2023-53294
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup()
Syzbot reported a null-ptr-deref bug:
ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512) ntfs3: loop0: Mark volume as dirty due to NTFS errors general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] RIP: 0010:d_flags_for_inode fs/dcache.c:1980 [inline] RIP: 0010:__d_add+0x5ce/0x800 fs/dcache.c:2796 Call Trace: <TASK> d_splice_alias+0x122/0x3b0 fs/dcache.c:3191 lookup_open fs/namei.c:3391 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x10e6/0x2df0 fs/namei.c:3688 do_filp_open+0x264/0x4f0 fs/namei.c:3718 do_sys_openat2+0x124/0x4e0 fs/open.c:1310 do_sys_open fs/open.c:1326 [inline] __do_sys_open fs/open.c:1334 [inline] __se_sys_open fs/open.c:1330 [inline] __x64_sys_open+0x221/0x270 fs/open.c:1330 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
If the MFT record of ntfs inode is not a base record, inode->i_op can be NULL. And a null-ptr-deref may happen:
ntfs_lookup() dir_search_u() # inode->i_op is set to NULL d_splice_alias() __d_add() d_flags_for_inode() # inode->i_op->get_link null-ptr-deref
Fix this by adding a Check on inode->i_op before calling the d_splice_alias() function.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 4342306f0f0d5ff4315a204d315c1b51b914fca5 < f8d9e062a695a3665c4635c4f216a75912687598 | affected |
| Linux | Linux | 4342306f0f0d5ff4315a204d315c1b51b914fca5 < d69d5e2a81df94534bdb468bcdd26060fcb7191a | affected |
| Linux | Linux | 4342306f0f0d5ff4315a204d315c1b51b914fca5 < 2ba22cbc6a1cf4b58195adbee0b80262e53992d3 | affected |
| Linux | Linux | 4342306f0f0d5ff4315a204d315c1b51b914fca5 < e78240bc4b94fc42854d65e657bb998100cc8e1b | affected |
| Linux | Linux | 4342306f0f0d5ff4315a204d315c1b51b914fca5 < 254e69f284d7270e0abdc023ee53b71401c3ba0c | affected |
| Linux | Linux | 5.15 | affected |
| Linux | Linux | 0 < 5.15 | unaffected |
| Linux | Linux | 5.15.112 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.29 <= 6.1.* | unaffected |
| Linux | Linux | 6.2.16 <= 6.2.* | unaffected |
| Linux | Linux | 6.3.3 <= 6.3.* | unaffected |
| Linux | Linux | 6.4 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/f8d9e062a695a3665c4635c4f216a75912687598
- https://git.kernel.org/stable/c/d69d5e2a81df94534bdb468bcdd26060fcb7191a
- https://git.kernel.org/stable/c/2ba22cbc6a1cf4b58195adbee0b80262e53992d3
- https://git.kernel.org/stable/c/e78240bc4b94fc42854d65e657bb998100cc8e1b
- https://git.kernel.org/stable/c/254e69f284d7270e0abdc023ee53b71401c3ba0c
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.