CVE-2023-54063

Summary

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Fix OOB read in indx_insert_into_buffer

Syzbot reported a OOB read bug:

BUG: KASAN: slab-out-of-bounds in indx_insert_into_buffer+0xaa3/0x13b0 fs/ntfs3/index.c:1755 Read of size 17168 at addr ffff8880255e06c0 by task syz-executor308/3630

Call Trace: <TASK> memmove+0x25/0x60 mm/kasan/shadow.c:54 indx_insert_into_buffer+0xaa3/0x13b0 fs/ntfs3/index.c:1755 indx_insert_entry+0x446/0x6b0 fs/ntfs3/index.c:1863 ntfs_create_inode+0x1d3f/0x35c0 fs/ntfs3/inode.c:1548 ntfs_create+0x3e/0x60 fs/ntfs3/namei.c:100 lookup_open fs/namei.c:3413 [inline]

If the member struct INDEX_BUFFER *index of struct indx_node is incorrect, that is, the value of __le32 used is greater than the value of __le32 total in struct INDEX_HDR. Therefore, OOB read occurs when memmove is called in indx_insert_into_buffer(). Fix this by adding a check in hdr_find_e().

Affected Software

VendorProductVersion RangeStatus
LinuxLinux82cae269cfa953032fbb8980a7d554d60fb00b17 < cd7e1d67924081717c5c96ead758a1a77867689aaffected
LinuxLinux82cae269cfa953032fbb8980a7d554d60fb00b17 < 17048287ac79abd33b275ac3b5738285d406481baffected
LinuxLinux82cae269cfa953032fbb8980a7d554d60fb00b17 < a7e5dba10ba1402dd6c2f961a70320770865c4a5affected
LinuxLinux82cae269cfa953032fbb8980a7d554d60fb00b17 < 4bf3b564e27a518f158a83d5e1a50064ed6136a0affected
LinuxLinux82cae269cfa953032fbb8980a7d554d60fb00b17 < b8c44949044e5f7f864525fdffe8e95135ce9ce5affected
LinuxLinux5.15affected
LinuxLinux0 < 5.15unaffected
LinuxLinux5.15.111 <= 5.15.*unaffected
LinuxLinux6.1.28 <= 6.1.*unaffected
LinuxLinux6.2.15 <= 6.2.*unaffected
LinuxLinux6.3.2 <= 6.3.*unaffected
LinuxLinux6.4 <= *unaffected

Weaknesses

References