CVE-2023-54077
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Fix memory leak if ntfs_read_mft failed
Label ATTR_ROOT in ntfs_read_mft() sets is_root = true and ni->ni_flags |= NI_FLAG_DIR, then next attr will goto label ATTR_ALLOC and alloc ni->dir.alloc_run. However two states are not always consistent and can make memory leak.
- attr_name in ATTR_ROOT does not fit the condition it will set is_root = true but NI_FLAG_DIR is not set.
- next attr_name in ATTR_ALLOC fits the condition and alloc ni->dir.alloc_run
- in cleanup function ni_clear(), when NI_FLAG_DIR is set, it frees ni->dir.alloc_run, otherwise it frees ni->file.run
- because NI_FLAG_DIR is not set in this case, ni->dir.alloc_run is leaked as kmemleak reported:
unreferenced object 0xffff888003bc5480 (size 64): backtrace: [<000000003d42e6b0>] __kmalloc_node+0x4e/0x1c0 [<00000000d8e19b8a>] kvmalloc_node+0x39/0x1f0 [<00000000fc3eb5b8>] run_add_entry+0x18a/0xa40 [ntfs3] [<0000000011c9f978>] run_unpack+0x75d/0x8e0 [ntfs3] [<00000000e7cf1819>] run_unpack_ex+0xbc/0x500 [ntfs3] [<00000000bbf0a43d>] ntfs_iget5+0xb25/0x2dd0 [ntfs3] [<00000000a6e50693>] ntfs_fill_super+0x218d/0x3580 [ntfs3] [<00000000b9170608>] get_tree_bdev+0x3fb/0x710 [<000000004833798a>] vfs_get_tree+0x8e/0x280 [<000000006e20b8e6>] path_mount+0xf3c/0x1930 [<000000007bf15a5f>] do_mount+0xf3/0x110 …
Fix this by always setting is_root and NI_FLAG_DIR together.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 82cae269cfa953032fbb8980a7d554d60fb00b17 < 3030f2b9b3329db3948c1a145a5493ca6f617d50 | affected |
| Linux | Linux | 82cae269cfa953032fbb8980a7d554d60fb00b17 < 1bc6bb657dfb0ab3b94ef6d477ca241bf7b6ec06 | affected |
| Linux | Linux | 82cae269cfa953032fbb8980a7d554d60fb00b17 < 93bf79f989688852deade1550fb478b0a4d8daa8 | affected |
| Linux | Linux | 82cae269cfa953032fbb8980a7d554d60fb00b17 < 3bb0d3eb475f01744ce6d6e998dfbd80220852a1 | affected |
| Linux | Linux | 82cae269cfa953032fbb8980a7d554d60fb00b17 < bfa434c60157c9793e9b12c9b68ade02aff9f803 | affected |
| Linux | Linux | 5.15 | affected |
| Linux | Linux | 0 < 5.15 | unaffected |
| Linux | Linux | 5.15.111 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.28 <= 6.1.* | unaffected |
| Linux | Linux | 6.2.15 <= 6.2.* | unaffected |
| Linux | Linux | 6.3.2 <= 6.3.* | unaffected |
| Linux | Linux | 6.4 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/3030f2b9b3329db3948c1a145a5493ca6f617d50
- https://git.kernel.org/stable/c/1bc6bb657dfb0ab3b94ef6d477ca241bf7b6ec06
- https://git.kernel.org/stable/c/93bf79f989688852deade1550fb478b0a4d8daa8
- https://git.kernel.org/stable/c/3bb0d3eb475f01744ce6d6e998dfbd80220852a1
- https://git.kernel.org/stable/c/bfa434c60157c9793e9b12c9b68ade02aff9f803
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.