{"id":"CVE-2022-49763","summary":"ntfs: fix use-after-free in ntfs_attr_find()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: fix use-after-free in ntfs_attr_find()\n\nPatch series \"ntfs: fix bugs about Attribute\", v2.\n\nThis patchset fixes three bugs relative to Attribute in record:\n\nPatch 1 adds a sanity check to ensure that, attrs_offset field in first\nmft record loading from disk is within bounds.\n\nPatch 2 moves the ATTR_RECORD's bounds checking earlier, to avoid\ndereferencing ATTR_RECORD before checking this ATTR_RECORD is within\nbounds.\n\nPatch 3 adds an overflow checking to avoid possible forever loop in\nntfs_attr_find().\n\nWithout patch 1 and patch 2, the kernel triggersa KASAN use-after-free\ndetection as reported by Syzkaller.\n\nAlthough one of patch 1 or patch 2 can fix this, we still need both of\nthem.  Because patch 1 fixes the root cause, and patch 2 not only fixes\nthe direct cause, but also fixes the potential out-of-bounds bug.\n\n\nThis patch (of 3):\n\nSyzkaller reported use-after-free read as follows:\n==================================================================\nBUG: KASAN: use-after-free in ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597\nRead of size 2 at addr ffff88807e352009 by task syz-executor153/3607\n\n[...]\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:317 [inline]\n print_report.cold+0x2ba/0x719 mm/kasan/report.c:433\n kasan_report+0xb1/0x1e0 mm/kasan/report.c:495\n ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597\n ntfs_attr_lookup+0x1056/0x2070 fs/ntfs/attrib.c:1193\n ntfs_read_inode_mount+0x89a/0x2580 fs/ntfs/inode.c:1845\n ntfs_fill_super+0x1799/0x9320 fs/ntfs/super.c:2854\n mount_bdev+0x34d/0x410 fs/super.c:1400\n legacy_get_tree+0x105/0x220 fs/fs_context.c:610\n vfs_get_tree+0x89/0x2f0 fs/super.c:1530\n do_new_mount fs/namespace.c:3040 [inline]\n path_mount+0x1326/0x1e20 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n [...]\n \u003c/TASK\u003e\n\nThe buggy address belongs to the physical page:\npage:ffffea0001f8d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e350\nhead:ffffea0001f8d400 order:3 compound_mapcount:0 compound_pincount:0\nflags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011842140\nraw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\n ffff88807e351f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff88807e351f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n\u003effff88807e352000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                      ^\n ffff88807e352080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff88807e352100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\n\nKernel will loads $MFT/$DATA's first mft record in\nntfs_read_inode_mount().\n\nYet the problem is that after loading, kernel doesn't check whether\nattrs_offset field is a valid value.\n\nTo be more specific, if attrs_offset field is larger than bytes_allocated\nfield, then it may trigger the out-of-bounds read bug(reported as\nuse-after-free bug) in ntfs_attr_find(), when kernel tries to access the\ncorresponding mft record's attribute.\n\nThis patch solves it by adding the sanity check between attrs_offset field\nand bytes_allocated field, after loading the first mft record.","modified":"2026-04-03T13:14:41.254661Z","published":"2025-05-01T14:09:03.607Z","related":["SUSE-SU-2025:01966-1","SUSE-SU-2025:02173-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49763.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/266bd5306286316758e6246ea0345133427b0f62"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4863f815463034f588a035cfd99cdca97a4f1069"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5330c423b86263ac7883fef0260b9e2229cb531e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/79f3ac7dcd12c05b7539239a4c6fa229a50d786c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b825bfbbaafbe8da2037e3a778ad660c59f9e054"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d0006d739738a658a9c29b438444259d9f71dfa0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d85a1bec8e8d552ab13163ca1874dcd82f3d1550"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fb2004bafd1932e08d21ca604ee5844f2b7f212d"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49763.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49763"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2"},{"fixed":"79f3ac7dcd12c05b7539239a4c6fa229a50d786c"},{"fixed":"fb2004bafd1932e08d21ca604ee5844f2b7f212d"},{"fixed":"d0006d739738a658a9c29b438444259d9f71dfa0"},{"fixed":"266bd5306286316758e6246ea0345133427b0f62"},{"fixed":"b825bfbbaafbe8da2037e3a778ad660c59f9e054"},{"fixed":"5330c423b86263ac7883fef0260b9e2229cb531e"},{"fixed":"4863f815463034f588a035cfd99cdca97a4f1069"},{"fixed":"d85a1bec8e8d552ab13163ca1874dcd82f3d1550"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49763.json"}}],"schema_version":"1.7.5"}