CVE-2023-52631 fs/ntfs3: Fix an NULL dereference bug

2024-04-0206:22:07

Linux

www.cve.org

linux kernel

ntfs3

null dereference

AI Score

7.8

Confidence

High

EPSS

Percentile

15.5%

JSON

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Fix an NULL dereference bug

The issue here is when this is called from ntfs_load_attr_list(). The
“size” comes from le32_to_cpu(attr->res.data_size) so it can’t overflow
on a 64bit systems but on 32bit systems the “+ 1023” can overflow and
the result is zero. This means that the kmalloc will succeed by
returning the ZERO_SIZE_PTR and then the memcpy() will crash with an
Oops on the next line.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/ntfs3/ntfs_fs.h"
    ],
    "versions": [
      {
        "version": "be71b5cba2e6",
        "lessThan": "ae4acad41b0f",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "be71b5cba2e6",
        "lessThan": "ec1bedd79758",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "be71b5cba2e6",
        "lessThan": "fb7bcd1722bc",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "be71b5cba2e6",
        "lessThan": "686820fe141e",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "be71b5cba2e6",
        "lessThan": "b2dd7b953c25",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/ntfs3/ntfs_fs.h"
    ],
    "versions": [
      {
        "version": "5.15",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.15",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.149",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.78",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.17",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.7.5",
        "lessThanOrEqual": "6.7.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]