github - ghsa-397q-f49x-2c9j

ghsa-397q-f49x-2c9j

Vulnerability from github

Published

2025-10-04 18:31

Modified

2025-10-04 18:31

Details

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Validate data run offset

This adds sanity checks for data run offset. We should make sure data run offset is legit before trying to unpack them, otherwise we may encounter use-after-free or some unexpected memory access behaviors.

[ 82.940342] BUG: KASAN: use-after-free in run_unpack+0x2e3/0x570 [ 82.941180] Read of size 1 at addr ffff888008a8487f by task mount/240 [ 82.941670] [ 82.942069] CPU: 0 PID: 240 Comm: mount Not tainted 5.19.0+ #15 [ 82.942482] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 82.943720] Call Trace: [ 82.944204] [ 82.944471] dump_stack_lvl+0x49/0x63 [ 82.944908] print_report.cold+0xf5/0x67b [ 82.945141] ? __wait_on_bit+0x106/0x120 [ 82.945750] ? run_unpack+0x2e3/0x570 [ 82.946626] kasan_report+0xa7/0x120 [ 82.947046] ? run_unpack+0x2e3/0x570 [ 82.947280] __asan_load1+0x51/0x60 [ 82.947483] run_unpack+0x2e3/0x570 [ 82.947709] ? memcpy+0x4e/0x70 [ 82.947927] ? run_pack+0x7a0/0x7a0 [ 82.948158] run_unpack_ex+0xad/0x3f0 [ 82.948399] ? mi_enum_attr+0x14a/0x200 [ 82.948717] ? run_unpack+0x570/0x570 [ 82.949072] ? ni_enum_attr_ex+0x1b2/0x1c0 [ 82.949332] ? ni_fname_type.part.0+0xd0/0xd0 [ 82.949611] ? mi_read+0x262/0x2c0 [ 82.949970] ? ntfs_cmp_names_cpu+0x125/0x180 [ 82.950249] ntfs_iget5+0x632/0x1870 [ 82.950621] ? ntfs_get_block_bmap+0x70/0x70 [ 82.951192] ? evict+0x223/0x280 [ 82.951525] ? iput.part.0+0x286/0x320 [ 82.951969] ntfs_fill_super+0x1321/0x1e20 [ 82.952436] ? put_ntfs+0x1d0/0x1d0 [ 82.952822] ? vsprintf+0x20/0x20 [ 82.953188] ? mutex_unlock+0x81/0xd0 [ 82.953379] ? set_blocksize+0x95/0x150 [ 82.954001] get_tree_bdev+0x232/0x370 [ 82.954438] ? put_ntfs+0x1d0/0x1d0 [ 82.954700] ntfs_fs_get_tree+0x15/0x20 [ 82.955049] vfs_get_tree+0x4c/0x130 [ 82.955292] path_mount+0x645/0xfd0 [ 82.955615] ? putname+0x80/0xa0 [ 82.955955] ? finish_automount+0x2e0/0x2e0 [ 82.956310] ? kmem_cache_free+0x110/0x390 [ 82.956723] ? putname+0x80/0xa0 [ 82.957023] do_mount+0xd6/0xf0 [ 82.957411] ? path_mount+0xfd0/0xfd0 [ 82.957638] ? __kasan_check_write+0x14/0x20 [ 82.957948] __x64_sys_mount+0xca/0x110 [ 82.958310] do_syscall_64+0x3b/0x90 [ 82.958719] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 82.959341] RIP: 0033:0x7fd0d1ce948a [ 82.960193] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 82.961532] RSP: 002b:00007ffe59ff69a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 82.962527] RAX: ffffffffffffffda RBX: 0000564dcc107060 RCX: 00007fd0d1ce948a [ 82.963266] RDX: 0000564dcc107260 RSI: 0000564dcc1072e0 RDI: 0000564dcc10fce0 [ 82.963686] RBP: 0000000000000000 R08: 0000564dcc107280 R09: 0000000000000020 [ 82.964272] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564dcc10fce0 [ 82.964785] R13: 0000564dcc107260 R14: 0000000000000000 R15: 00000000ffffffff

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-50507"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-04T16:15:47Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate data run offset\n\nThis adds sanity checks for data run offset. We should make sure data\nrun offset is legit before trying to unpack them, otherwise we may\nencounter use-after-free or some unexpected memory access behaviors.\n\n[   82.940342] BUG: KASAN: use-after-free in run_unpack+0x2e3/0x570\n[   82.941180] Read of size 1 at addr ffff888008a8487f by task mount/240\n[   82.941670]\n[   82.942069] CPU: 0 PID: 240 Comm: mount Not tainted 5.19.0+ #15\n[   82.942482] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[   82.943720] Call Trace:\n[   82.944204]  \u003cTASK\u003e\n[   82.944471]  dump_stack_lvl+0x49/0x63\n[   82.944908]  print_report.cold+0xf5/0x67b\n[   82.945141]  ? __wait_on_bit+0x106/0x120\n[   82.945750]  ? run_unpack+0x2e3/0x570\n[   82.946626]  kasan_report+0xa7/0x120\n[   82.947046]  ? run_unpack+0x2e3/0x570\n[   82.947280]  __asan_load1+0x51/0x60\n[   82.947483]  run_unpack+0x2e3/0x570\n[   82.947709]  ? memcpy+0x4e/0x70\n[   82.947927]  ? run_pack+0x7a0/0x7a0\n[   82.948158]  run_unpack_ex+0xad/0x3f0\n[   82.948399]  ? mi_enum_attr+0x14a/0x200\n[   82.948717]  ? run_unpack+0x570/0x570\n[   82.949072]  ? ni_enum_attr_ex+0x1b2/0x1c0\n[   82.949332]  ? ni_fname_type.part.0+0xd0/0xd0\n[   82.949611]  ? mi_read+0x262/0x2c0\n[   82.949970]  ? ntfs_cmp_names_cpu+0x125/0x180\n[   82.950249]  ntfs_iget5+0x632/0x1870\n[   82.950621]  ? ntfs_get_block_bmap+0x70/0x70\n[   82.951192]  ? evict+0x223/0x280\n[   82.951525]  ? iput.part.0+0x286/0x320\n[   82.951969]  ntfs_fill_super+0x1321/0x1e20\n[   82.952436]  ? put_ntfs+0x1d0/0x1d0\n[   82.952822]  ? vsprintf+0x20/0x20\n[   82.953188]  ? mutex_unlock+0x81/0xd0\n[   82.953379]  ? set_blocksize+0x95/0x150\n[   82.954001]  get_tree_bdev+0x232/0x370\n[   82.954438]  ? put_ntfs+0x1d0/0x1d0\n[   82.954700]  ntfs_fs_get_tree+0x15/0x20\n[   82.955049]  vfs_get_tree+0x4c/0x130\n[   82.955292]  path_mount+0x645/0xfd0\n[   82.955615]  ? putname+0x80/0xa0\n[   82.955955]  ? finish_automount+0x2e0/0x2e0\n[   82.956310]  ? kmem_cache_free+0x110/0x390\n[   82.956723]  ? putname+0x80/0xa0\n[   82.957023]  do_mount+0xd6/0xf0\n[   82.957411]  ? path_mount+0xfd0/0xfd0\n[   82.957638]  ? __kasan_check_write+0x14/0x20\n[   82.957948]  __x64_sys_mount+0xca/0x110\n[   82.958310]  do_syscall_64+0x3b/0x90\n[   82.958719]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[   82.959341] RIP: 0033:0x7fd0d1ce948a\n[   82.960193] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008\n[   82.961532] RSP: 002b:00007ffe59ff69a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5\n[   82.962527] RAX: ffffffffffffffda RBX: 0000564dcc107060 RCX: 00007fd0d1ce948a\n[   82.963266] RDX: 0000564dcc107260 RSI: 0000564dcc1072e0 RDI: 0000564dcc10fce0\n[   82.963686] RBP: 0000000000000000 R08: 0000564dcc107280 R09: 0000000000000020\n[   82.964272] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564dcc10fce0\n[   82.964785] R13: 0000564dcc107260 R14: 0000000000000000 R15: 00000000ffffffff",
  "id": "GHSA-397q-f49x-2c9j",
  "modified": "2025-10-04T18:31:14Z",
  "published": "2025-10-04T18:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50507"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6db620863f8528ed9a9aa5ad323b26554a17881d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9173b89c16a603d73c434b695fe2a7a13491300f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/de5e0955248ff90a2ae91e7f5c108392b52152d0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e0455361d3068066a91fe18282b751925d7b5ee7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2022-50507 (GCVE-0-2022-50507)

Vulnerability from cvelistv5

Published

2025-10-04 15:43

Modified

2025-10-06 09:07

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Validate data run offset This adds sanity checks for data run offset. We should make sure data run offset is legit before trying to unpack them, otherwise we may encounter use-after-free or some unexpected memory access behaviors. [ 82.940342] BUG: KASAN: use-after-free in run_unpack+0x2e3/0x570 [ 82.941180] Read of size 1 at addr ffff888008a8487f by task mount/240 [ 82.941670] [ 82.942069] CPU: 0 PID: 240 Comm: mount Not tainted 5.19.0+ #15 [ 82.942482] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 82.943720] Call Trace: [ 82.944204] <TASK> [ 82.944471] dump_stack_lvl+0x49/0x63 [ 82.944908] print_report.cold+0xf5/0x67b [ 82.945141] ? __wait_on_bit+0x106/0x120 [ 82.945750] ? run_unpack+0x2e3/0x570 [ 82.946626] kasan_report+0xa7/0x120 [ 82.947046] ? run_unpack+0x2e3/0x570 [ 82.947280] __asan_load1+0x51/0x60 [ 82.947483] run_unpack+0x2e3/0x570 [ 82.947709] ? memcpy+0x4e/0x70 [ 82.947927] ? run_pack+0x7a0/0x7a0 [ 82.948158] run_unpack_ex+0xad/0x3f0 [ 82.948399] ? mi_enum_attr+0x14a/0x200 [ 82.948717] ? run_unpack+0x570/0x570 [ 82.949072] ? ni_enum_attr_ex+0x1b2/0x1c0 [ 82.949332] ? ni_fname_type.part.0+0xd0/0xd0 [ 82.949611] ? mi_read+0x262/0x2c0 [ 82.949970] ? ntfs_cmp_names_cpu+0x125/0x180 [ 82.950249] ntfs_iget5+0x632/0x1870 [ 82.950621] ? ntfs_get_block_bmap+0x70/0x70 [ 82.951192] ? evict+0x223/0x280 [ 82.951525] ? iput.part.0+0x286/0x320 [ 82.951969] ntfs_fill_super+0x1321/0x1e20 [ 82.952436] ? put_ntfs+0x1d0/0x1d0 [ 82.952822] ? vsprintf+0x20/0x20 [ 82.953188] ? mutex_unlock+0x81/0xd0 [ 82.953379] ? set_blocksize+0x95/0x150 [ 82.954001] get_tree_bdev+0x232/0x370 [ 82.954438] ? put_ntfs+0x1d0/0x1d0 [ 82.954700] ntfs_fs_get_tree+0x15/0x20 [ 82.955049] vfs_get_tree+0x4c/0x130 [ 82.955292] path_mount+0x645/0xfd0 [ 82.955615] ? putname+0x80/0xa0 [ 82.955955] ? finish_automount+0x2e0/0x2e0 [ 82.956310] ? kmem_cache_free+0x110/0x390 [ 82.956723] ? putname+0x80/0xa0 [ 82.957023] do_mount+0xd6/0xf0 [ 82.957411] ? path_mount+0xfd0/0xfd0 [ 82.957638] ? __kasan_check_write+0x14/0x20 [ 82.957948] __x64_sys_mount+0xca/0x110 [ 82.958310] do_syscall_64+0x3b/0x90 [ 82.958719] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 82.959341] RIP: 0033:0x7fd0d1ce948a [ 82.960193] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 82.961532] RSP: 002b:00007ffe59ff69a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 82.962527] RAX: ffffffffffffffda RBX: 0000564dcc107060 RCX: 00007fd0d1ce948a [ 82.963266] RDX: 0000564dcc107260 RSI: 0000564dcc1072e0 RDI: 0000564dcc10fce0 [ 82.963686] RBP: 0000000000000000 R08: 0000564dcc107280 R09: 0000000000000020 [ 82.964272] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564dcc10fce0 [ 82.964785] R13: 0000564dcc107260 R14: 0000000000000000 R15: 00000000ffffffff

References

URL

Tags

	https://git.kernel.org/stable/c/de5e0955248ff90a2ae91e7f5c108392b52152d0
	https://git.kernel.org/stable/c/e0455361d3068066a91fe18282b751925d7b5ee7
	https://git.kernel.org/stable/c/9173b89c16a603d73c434b695fe2a7a13491300f
	https://git.kernel.org/stable/c/6db620863f8528ed9a9aa5ad323b26554a17881d

Impacted products

Vendor

Product

Version

Linux

Version: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e
Version: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e
Version: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e
Version: 4534a70b7056fd4b9a1c6db5a4ce3c98546b291e

Linux

Version: 5.15

Show details on NVD website