CVE-2023-54125

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Return error for inconsistent extended attributes

ntfsreadea is called when we want to read extended attributes. There are some sanity checks for the validity of the EAs. However, it fails to return a proper error code for the inconsistent attributes, which might lead to unpredicted memory accesses after return.

[ 138.916927] BUG: KASAN: use-after-free in ntfssetea+0x453/0xbf0 [ 138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199 [ 138.931132] [ 138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4 [ 138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 138.947327] Call Trace: [ 138.949557] <TASK> [ 138.951539] dumpstacklvl+0x4d/0x67 [ 138.956834] printreport+0x16f/0x4a6 [ 138.960798] ? ntfssetea+0x453/0xbf0 [ 138.964437] ? kasancompletemodereportinfo+0x7d/0x200 [ 138.969793] ? ntfssetea+0x453/0xbf0 [ 138.973523] kasanreport+0xb8/0x140 [ 138.976740] ? ntfssetea+0x453/0xbf0 [ 138.980578] __asanstore4+0x76/0xa0 [ 138.984669] ntfsset_ea+0x453/0xbf0 [ 138.988115] ? __pfxntfsset_ea+0x10/0x10 [ 138.993390] ? kerneltextaddress+0xd3/0xe0 [ 138.998270] ? __kerneltextaddress+0x16/0x50 [ 139.002121] ? unwind_getreturnaddress+0x3e/0x60 [ 139.005659] ? __pfxstacktrace_consumeentry+0x10/0x10 [ 139.010177] ? archstackwalk+0xa2/0x100 [ 139.013657] ? filterirqstacks+0x27/0x80 [ 139.017018] ntfssetxattr+0x405/0x440 [ 139.022151] ? __pfxntfssetxattr+0x10/0x10 [ 139.026569] ? kvmallocnode+0x2d/0x120 [ 139.030329] ? kasansavestack+0x41/0x60 [ 139.033883] ? kasansavestack+0x2a/0x60 [ 139.037338] ? kasansettrack+0x29/0x40 [ 139.040163] ? kasansaveallocinfo+0x1f/0x30 [ 139.043588] ? __kasan_kmalloc+0x8b/0xa0 [ 139.047255] ? __kmallocnode+0x68/0x150 [ 139.051264] ? kvmallocnode+0x2d/0x120 [ 139.055301] ? vmemdup_user+0x2b/0xa0 [ 139.058584] __vfssetxattr+0x121/0x170 [ 139.062617] ? pfxvfs_setxattr+0x10/0x10 [ 139.066282] __vfssetxattrnoperm+0x97/0x300 [ 139.070061] __vfssetxattrlocked+0x145/0x170 [ 139.073580] vfs_setxattr+0x137/0x2a0 [ 139.076641] ? __pfxvfssetxattr+0x10/0x10 [ 139.080223] ? __kasancheckwrite+0x18/0x20 [ 139.084234] do_setxattr+0xce/0x150 [ 139.087768] setxattr+0x126/0x140 [ 139.091250] ? __pfx_setxattr+0x10/0x10 [ 139.094948] ? __virtaddrvalid+0xcb/0x140 [ 139.097838] ? __callrcucommon.constprop.0+0x1c7/0x330 [ 139.102688] ? debugsmpprocessorid+0x1b/0x30 [ 139.105985] ? kasanquarantine_put+0x5b/0x190 [ 139.109980] ? putname+0x84/0xa0 [ 139.113886] ? __kasanslabfree+0x11e/0x1b0 [ 139.117961] ? putname+0x84/0xa0 [ 139.121316] ? preemptcountsub+0x1c/0xd0 [ 139.124427] ? __mntwantwrite+0xae/0x100 [ 139.127836] ? mntwantwrite+0x8f/0x150 [ 139.130954] path_setxattr+0x164/0x180 [ 139.133998] ? __pfxpathsetxattr+0x10/0x10 [ 139.137853] ? __pfxksyspwrite64+0x10/0x10 [ 139.141299] ? debugsmpprocessorid+0x1b/0x30 [ 139.145714] ? fpregsassertstateconsistent+0x6b/0x80 [ 139.150796] _x64syssetxattr+0x71/0x90 [ 139.155407] dosyscall64+0x3f/0x90 [ 139.159035] entrySYSCALL64afterhwframe+0x72/0xdc [ 139.163843] RIP: 0033:0x7f108cae4469 [ 139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 [ 139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIGRAX: 00000000000000bc [ 139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469 [ 139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6 [ 139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618 [ 139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0 [ 139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15 ---truncated---