CVE-2025-71265

In the Linux kernel, the following vulnerability has been resolved:

fs: ntfs3: fix infinite loop in attrloadruns_range on inconsistent metadata

We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.

A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and rununpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When rununpack() immediately returns success upon seeing this condition, it leaves the runstree uninitialized with run->runs as a NULL. The calling function attrloadrunsrange() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next runlookupentry() call to succeed. Because runstree remains uninitialized, runlookup_entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop.

This patch adds a retry counter to detect when runlookupentry() fails consecutively after attrloadruns_vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.