CVE-2023-54077

Summary

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Fix memory leak if ntfs_read_mft failed

Label ATTR_ROOT in ntfs_read_mft() sets is_root = true and ni->ni_flags |= NI_FLAG_DIR, then next attr will goto label ATTR_ALLOC and alloc ni->dir.alloc_run. However two states are not always consistent and can make memory leak.

  1. attr_name in ATTR_ROOT does not fit the condition it will set is_root = true but NI_FLAG_DIR is not set.
  2. next attr_name in ATTR_ALLOC fits the condition and alloc ni->dir.alloc_run
  3. in cleanup function ni_clear(), when NI_FLAG_DIR is set, it frees ni->dir.alloc_run, otherwise it frees ni->file.run
  4. because NI_FLAG_DIR is not set in this case, ni->dir.alloc_run is leaked as kmemleak reported:

unreferenced object 0xffff888003bc5480 (size 64): backtrace: [<000000003d42e6b0>] __kmalloc_node+0x4e/0x1c0 [<00000000d8e19b8a>] kvmalloc_node+0x39/0x1f0 [<00000000fc3eb5b8>] run_add_entry+0x18a/0xa40 [ntfs3] [<0000000011c9f978>] run_unpack+0x75d/0x8e0 [ntfs3] [<00000000e7cf1819>] run_unpack_ex+0xbc/0x500 [ntfs3] [<00000000bbf0a43d>] ntfs_iget5+0xb25/0x2dd0 [ntfs3] [<00000000a6e50693>] ntfs_fill_super+0x218d/0x3580 [ntfs3] [<00000000b9170608>] get_tree_bdev+0x3fb/0x710 [<000000004833798a>] vfs_get_tree+0x8e/0x280 [<000000006e20b8e6>] path_mount+0xf3c/0x1930 [<000000007bf15a5f>] do_mount+0xf3/0x110 …

Fix this by always setting is_root and NI_FLAG_DIR together.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux82cae269cfa953032fbb8980a7d554d60fb00b17 < 3030f2b9b3329db3948c1a145a5493ca6f617d50affected
LinuxLinux82cae269cfa953032fbb8980a7d554d60fb00b17 < 1bc6bb657dfb0ab3b94ef6d477ca241bf7b6ec06affected
LinuxLinux82cae269cfa953032fbb8980a7d554d60fb00b17 < 93bf79f989688852deade1550fb478b0a4d8daa8affected
LinuxLinux82cae269cfa953032fbb8980a7d554d60fb00b17 < 3bb0d3eb475f01744ce6d6e998dfbd80220852a1affected
LinuxLinux82cae269cfa953032fbb8980a7d554d60fb00b17 < bfa434c60157c9793e9b12c9b68ade02aff9f803affected
LinuxLinux5.15affected
LinuxLinux0 < 5.15unaffected
LinuxLinux5.15.111 <= 5.15.*unaffected
LinuxLinux6.1.28 <= 6.1.*unaffected
LinuxLinux6.2.15 <= 6.2.*unaffected
LinuxLinux6.3.2 <= 6.3.*unaffected
LinuxLinux6.4 <= *unaffected

Weaknesses

References