CVE-2023-53194

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Add length check in indxgetroot

This adds a length check to guarantee the retrieved index root is legit.

[ 162.459513] BUG: KASAN: use-after-free in hdrfinde.isra.0+0x10c/0x320 [ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243 [ 162.460851] [ 162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42 [ 162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 162.462609] Call Trace: [ 162.462954] <TASK> [ 162.463276] dumpstacklvl+0x49/0x63 [ 162.463822] printreport.cold+0xf5/0x689 [ 162.464608] ? unwindgetreturnaddress+0x3a/0x60 [ 162.465766] ? hdrfinde.isra.0+0x10c/0x320 [ 162.466975] kasanreport+0xa7/0x130 [ 162.467506] ? rawspinlockirq+0xc0/0xf0 [ 162.467998] ? hdrfind_e.isra.0+0x10c/0x320 [ 162.468536] __asanload2+0x68/0x90 [ 162.468923] hdrfinde.isra.0+0x10c/0x320 [ 162.469282] ? cmpuints+0xe0/0xe0 [ 162.469557] ? cmpsdh+0x90/0x90 [ 162.469864] ? nifindattr+0x214/0x300 [ 162.470217] ? niloadmi+0x80/0x80 [ 162.470479] ? entrySYSCALL64afterhwframe+0x63/0xcd [ 162.470931] ? ntfsbreadrun+0x190/0x190 [ 162.471307] ? indxgetroot+0xe4/0x190 [ 162.471556] ? indxgetroot+0x140/0x190 [ 162.471833] ? indxinit+0x1e0/0x1e0 [ 162.472069] ? fndclear+0x115/0x140 [ 162.472363] ? rawspinlockirqsave+0x100/0x100 [ 162.472731] indxfind+0x184/0x470 [ 162.473461] ? sysvecapictimerinterrupt+0x57/0xc0 [ 162.474429] ? indxfindbuffer+0x2d0/0x2d0 [ 162.474704] ? dosyscall64+0x3b/0x90 [ 162.474962] dirsearchu+0x196/0x2f0 [ 162.475381] ? ntfsnlstoutf16+0x450/0x450 [ 162.475661] ? ntfssecurityinit+0x3d6/0x440 [ 162.475906] ? issdvalid+0x180/0x180 [ 162.476191] ntfsextendinit+0x13f/0x2c0 [ 162.476496] ? ntfsfixpostread+0x130/0x130 [ 162.476861] ? iput.part.0+0x286/0x320 [ 162.477325] ntfsfillsuper+0x11e0/0x1b50 [ 162.477709] ? putntfs+0x1d0/0x1d0 [ 162.477970] ? vsprintf+0x20/0x20 [ 162.478258] ? setblocksize+0x95/0x150 [ 162.478538] gettreebdev+0x232/0x370 [ 162.478789] ? putntfs+0x1d0/0x1d0 [ 162.479038] ntfsfsgettree+0x15/0x20 [ 162.479374] vfsgettree+0x4c/0x130 [ 162.479729] pathmount+0x654/0xfe0 [ 162.480124] ? putname+0x80/0xa0 [ 162.480484] ? finishautomount+0x2e0/0x2e0 [ 162.480894] ? putname+0x80/0xa0 [ 162.481467] ? kmemcachefree+0x1c4/0x440 [ 162.482280] ? putname+0x80/0xa0 [ 162.482714] domount+0xd6/0xf0 [ 162.483264] ? path_mount+0xfe0/0xfe0 [ 162.484782] ? __kasancheckwrite+0x14/0x20 [ 162.485593] _x64sysmount+0xca/0x110 [ 162.486024] dosyscall64+0x3b/0x90 [ 162.486543] entrySYSCALL64afterhwframe+0x63/0xcd [ 162.487141] RIP: 0033:0x7f9d374e948a [ 162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIGRAX: 00000000000000a5 [ 162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a [ 162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0 [ 162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020 [ 162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0 [ 162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff [ 162.493644] </TASK> [ 162.493908] [ 162.494214] The buggy address belongs to the physical page: [ 162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc [ 162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) [ 162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000 [ 162.498928] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000 [ 162.500542] page dumped becau ---truncated---