In the Linux kernel, the following vulnerability has been resolved:

ntfs: fix use-after-free in ntfsattrfind()

Patch series "ntfs: fix bugs about Attribute", v2.

This patchset fixes three bugs relative to Attribute in record:

Patch 1 adds a sanity check to ensure that, attrs_offset field in first mft record loading from disk is within bounds.

Patch 2 moves the ATTRRECORD's bounds checking earlier, to avoid dereferencing ATTRRECORD before checking this ATTR_RECORD is within bounds.

Patch 3 adds an overflow checking to avoid possible forever loop in ntfsattrfind().

Without patch 1 and patch 2, the kernel triggersa KASAN use-after-free detection as reported by Syzkaller.

Although one of patch 1 or patch 2 can fix this, we still need both of them. Because patch 1 fixes the root cause, and patch 2 not only fixes the direct cause, but also fixes the potential out-of-bounds bug.

This patch (of 3):

Syzkaller reported use-after-free read as follows:

BUG: KASAN: use-after-free in ntfsattrfind+0xc02/0xce0 fs/ntfs/attrib.c:597 Read of size 2 at addr ffff88807e352009 by task syz-executor153/3607

[...] Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xcd/0x134 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:317 [inline] printreport.cold+0x2ba/0x719 mm/kasan/report.c:433 kasanreport+0xb1/0x1e0 mm/kasan/report.c:495 ntfsattrfind+0xc02/0xce0 fs/ntfs/attrib.c:597 ntfsattrlookup+0x1056/0x2070 fs/ntfs/attrib.c:1193 ntfsreadinodemount+0x89a/0x2580 fs/ntfs/inode.c:1845 ntfsfillsuper+0x1799/0x9320 fs/ntfs/super.c:2854 mountbdev+0x34d/0x410 fs/super.c:1400 legacygettree+0x105/0x220 fs/fscontext.c:610 vfsgettree+0x89/0x2f0 fs/super.c:1530 donewmount fs/namespace.c:3040 [inline] pathmount+0x1326/0x1e20 fs/namespace.c:3370 domount fs/namespace.c:3383 [inline] _dosysmount fs/namespace.c:3591 [inline] _sesysmount fs/namespace.c:3568 [inline] _x64sysmount+0x27f/0x300 fs/namespace.c:3568 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd [...] </TASK>

The buggy address belongs to the physical page: page:ffffea0001f8d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e350 head:ffffea0001f8d400 order:3 compoundmapcount:0 compoundpincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011842140 raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88807e351f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88807e351f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

ffff88807e352000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807e352080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

ffff88807e352100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Kernel will loads $MFT/$DATA's first mft record in ntfsreadinode_mount().

Yet the problem is that after loading, kernel doesn't check whether attrs_offset field is a valid value.

To be more specific, if attrsoffset field is larger than bytesallocated field, then it may trigger the out-of-bounds read bug(reported as use-after-free bug) in ntfsattrfind(), when kernel tries to access the corresponding mft record's attribute.

This patch solves it by adding the sanity check between attrsoffset field and bytesallocated field, after loading the first mft record.