CVE-2023-54077

Label ATTRROOT in ntfsreadmft() sets isroot = true and ni->niflags |= NIFLAGDIR, then next attr will goto label ATTRALLOC and alloc ni->dir.alloc_run. However two states are not always consistent and can make memory leak.

1) attrname in ATTRROOT does not fit the condition it will set isroot = true but NIFLAGDIR is not set. 2) next attrname in ATTRALLOC fits the condition and alloc ni->dir.allocrun 3) in cleanup function niclear(), when NIFLAGDIR is set, it frees ni->dir.allocrun, otherwise it frees ni->file.run 4) because NIFLAGDIR is not set in this case, ni->dir.alloc_run is leaked as kmemleak reported:

unreferenced object 0xffff888003bc5480 (size 64): backtrace: [<000000003d42e6b0>] __kmallocnode+0x4e/0x1c0 [<00000000d8e19b8a>] kvmallocnode+0x39/0x1f0 [<00000000fc3eb5b8>] runaddentry+0x18a/0xa40 [ntfs3] [<0000000011c9f978>] rununpack+0x75d/0x8e0 [ntfs3] [<00000000e7cf1819>] rununpackex+0xbc/0x500 [ntfs3] [<00000000bbf0a43d>] ntfsiget5+0xb25/0x2dd0 [ntfs3] [<00000000a6e50693>] ntfsfillsuper+0x218d/0x3580 [ntfs3] [<00000000b9170608>] gettreebdev+0x3fb/0x710 [<000000004833798a>] vfsgettree+0x8e/0x280 [<000000006e20b8e6>] pathmount+0xf3c/0x1930 [<000000007bf15a5f>] domount+0xf3/0x110 ...

Fix this by always setting isroot and NIFLAG_DIR together.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54077.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

82cae269cfa953032fbb8980a7d554d60fb00b17

Fixed

3030f2b9b3329db3948c1a145a5493ca6f617d50

Fixed

1bc6bb657dfb0ab3b94ef6d477ca241bf7b6ec06

Fixed

93bf79f989688852deade1550fb478b0a4d8daa8

Fixed

3bb0d3eb475f01744ce6d6e998dfbd80220852a1

Fixed

bfa434c60157c9793e9b12c9b68ade02aff9f803

Affected versions

v5.*

v5.14

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.15.1

v5.15.10

v5.15.100

v5.15.101

v5.15.102

v5.15.103

v5.15.104

v5.15.105

v5.15.106

v5.15.107

v5.15.108

v5.15.109

v5.15.11

v5.15.110

v5.15.12

v5.15.13

v5.15.14

v5.15.15

v5.15.16

v5.15.17

v5.15.18

v5.15.19

v5.15.2

v5.15.20

v5.15.21

v5.15.22

v5.15.23

v5.15.24

v5.15.25

v5.15.26

v5.15.27

v5.15.28

v5.15.29

v5.15.3

v5.15.30

v5.15.31

v5.15.32

v5.15.33

v5.15.34

v5.15.35

v5.15.36

v5.15.37

v5.15.38

v5.15.39

v5.15.4

v5.15.40

v5.15.41

v5.15.42

v5.15.43

v5.15.44

v5.15.45

v5.15.46

v5.15.47

v5.15.48

v5.15.49

v5.15.5

v5.15.50

v5.15.51

v5.15.52

v5.15.53

v5.15.54

v5.15.55

v5.15.56

v5.15.57

v5.15.58

v5.15.59

v5.15.6

v5.15.60

v5.15.61

v5.15.62

v5.15.63

v5.15.64

v5.15.65

v5.15.66

v5.15.67

v5.15.68

v5.15.69

v5.15.7

v5.15.70

v5.15.71

v5.15.72

v5.15.73

v5.15.74

v5.15.75

v5.15.76

v5.15.77

v5.15.78

v5.15.79

v5.15.8

v5.15.80

v5.15.81

v5.15.82

v5.15.83

v5.15.84

v5.15.85

v5.15.86

v5.15.87

v5.15.88

v5.15.89

v5.15.9

v5.15.90

v5.15.91

v5.15.92

v5.15.93

v5.15.94

v5.15.95

v5.15.96

v5.15.97

v5.15.98

v5.15.99

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.21

v6.1.22

v6.1.23

v6.1.24

v6.1.25

v6.1.26

v6.1.27

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.1.7

v6.1.8

v6.1.9

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.2.1

v6.2.10

v6.2.11

v6.2.12

v6.2.13

v6.2.14

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.2.6

v6.2.7

v6.2.8

v6.2.9

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54077.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.15.0

Fixed

5.15.111

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.28

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.2.15

Type: ECOSYSTEM
Events: Introduced

6.3.0

Fixed

6.3.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54077.json"