ghsa-qqgg-499c-j47v
Vulnerability from github
Published
2025-10-01 12:30
Modified
2025-10-01 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Validate buffer length while parsing index

indx_read is called when we have some NTFS directory operations that need more information from the index buffers. This adds a sanity check to make sure the returned index buffer length is legit, or we may have some out-of-bound memory accesses.

[ 560.897595] BUG: KASAN: slab-out-of-bounds in hdr_find_e.isra.0+0x10c/0x320 [ 560.898321] Read of size 2 at addr ffff888009497238 by task exp/245 [ 560.898760] [ 560.899129] CPU: 0 PID: 245 Comm: exp Not tainted 6.0.0-rc6 #37 [ 560.899505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 560.900170] Call Trace: [ 560.900407] [ 560.900732] dump_stack_lvl+0x49/0x63 [ 560.901108] print_report.cold+0xf5/0x689 [ 560.901395] ? hdr_find_e.isra.0+0x10c/0x320 [ 560.901716] kasan_report+0xa7/0x130 [ 560.901950] ? hdr_find_e.isra.0+0x10c/0x320 [ 560.902208] __asan_load2+0x68/0x90 [ 560.902427] hdr_find_e.isra.0+0x10c/0x320 [ 560.902846] ? cmp_uints+0xe0/0xe0 [ 560.903363] ? cmp_sdh+0x90/0x90 [ 560.903883] ? ntfs_bread_run+0x190/0x190 [ 560.904196] ? rwsem_down_read_slowpath+0x750/0x750 [ 560.904969] ? ntfs_fix_post_read+0xe0/0x130 [ 560.905259] ? __kasan_check_write+0x14/0x20 [ 560.905599] ? up_read+0x1a/0x90 [ 560.905853] ? indx_read+0x22c/0x380 [ 560.906096] indx_find+0x2ef/0x470 [ 560.906352] ? indx_find_buffer+0x2d0/0x2d0 [ 560.906692] ? __kasan_kmalloc+0x88/0xb0 [ 560.906977] dir_search_u+0x196/0x2f0 [ 560.907220] ? ntfs_nls_to_utf16+0x450/0x450 [ 560.907464] ? __kasan_check_write+0x14/0x20 [ 560.907747] ? mutex_lock+0x8f/0xe0 [ 560.907970] ? __mutex_lock_slowpath+0x20/0x20 [ 560.908214] ? kmem_cache_alloc+0x143/0x4b0 [ 560.908459] ntfs_lookup+0xe0/0x100 [ 560.908788] __lookup_slow+0x116/0x220 [ 560.909050] ? lookup_fast+0x1b0/0x1b0 [ 560.909309] ? lookup_fast+0x13f/0x1b0 [ 560.909601] walk_component+0x187/0x230 [ 560.909944] link_path_walk.part.0+0x3f0/0x660 [ 560.910285] ? handle_lookup_down+0x90/0x90 [ 560.910618] ? path_init+0x642/0x6e0 [ 560.911084] ? percpu_counter_add_batch+0x6e/0xf0 [ 560.912559] ? __alloc_file+0x114/0x170 [ 560.913008] path_openat+0x19c/0x1d10 [ 560.913419] ? getname_flags+0x73/0x2b0 [ 560.913815] ? kasan_save_stack+0x3a/0x50 [ 560.914125] ? kasan_save_stack+0x26/0x50 [ 560.914542] ? __kasan_slab_alloc+0x6d/0x90 [ 560.914924] ? kmem_cache_alloc+0x143/0x4b0 [ 560.915339] ? getname_flags+0x73/0x2b0 [ 560.915647] ? getname+0x12/0x20 [ 560.916114] ? __x64_sys_open+0x4c/0x60 [ 560.916460] ? path_lookupat.isra.0+0x230/0x230 [ 560.916867] ? __isolate_free_page+0x2e0/0x2e0 [ 560.917194] do_filp_open+0x15c/0x1f0 [ 560.917448] ? may_open_dev+0x60/0x60 [ 560.917696] ? expand_files+0xa4/0x3a0 [ 560.917923] ? __kasan_check_write+0x14/0x20 [ 560.918185] ? _raw_spin_lock+0x88/0xdb [ 560.918409] ? _raw_spin_lock_irqsave+0x100/0x100 [ 560.918783] ? _find_next_bit+0x4a/0x130 [ 560.919026] ? _raw_spin_unlock+0x19/0x40 [ 560.919276] ? alloc_fd+0x14b/0x2d0 [ 560.919635] do_sys_openat2+0x32a/0x4b0 [ 560.920035] ? file_open_root+0x230/0x230 [ 560.920336] ? __rcu_read_unlock+0x5b/0x280 [ 560.920813] do_sys_open+0x99/0xf0 [ 560.921208] ? filp_open+0x60/0x60 [ 560.921482] ? exit_to_user_mode_prepare+0x49/0x180 [ 560.921867] __x64_sys_open+0x4c/0x60 [ 560.922128] do_syscall_64+0x3b/0x90 [ 560.922369] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 560.923030] RIP: 0033:0x7f7dff2e4469 [ 560.923681] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 [ 560.924451] RSP: 002b:00007ffd41a210b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000002 [ 560.925168] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7dff2e4469 [ 560.925655] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50442"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T12:15:36Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate buffer length while parsing index\n\nindx_read is called when we have some NTFS directory operations that\nneed more information from the index buffers. This adds a sanity check\nto make sure the returned index buffer length is legit, or we may have\nsome out-of-bound memory accesses.\n\n[  560.897595] BUG: KASAN: slab-out-of-bounds in hdr_find_e.isra.0+0x10c/0x320\n[  560.898321] Read of size 2 at addr ffff888009497238 by task exp/245\n[  560.898760]\n[  560.899129] CPU: 0 PID: 245 Comm: exp Not tainted 6.0.0-rc6 #37\n[  560.899505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[  560.900170] Call Trace:\n[  560.900407]  \u003cTASK\u003e\n[  560.900732]  dump_stack_lvl+0x49/0x63\n[  560.901108]  print_report.cold+0xf5/0x689\n[  560.901395]  ? hdr_find_e.isra.0+0x10c/0x320\n[  560.901716]  kasan_report+0xa7/0x130\n[  560.901950]  ? hdr_find_e.isra.0+0x10c/0x320\n[  560.902208]  __asan_load2+0x68/0x90\n[  560.902427]  hdr_find_e.isra.0+0x10c/0x320\n[  560.902846]  ? cmp_uints+0xe0/0xe0\n[  560.903363]  ? cmp_sdh+0x90/0x90\n[  560.903883]  ? ntfs_bread_run+0x190/0x190\n[  560.904196]  ? rwsem_down_read_slowpath+0x750/0x750\n[  560.904969]  ? ntfs_fix_post_read+0xe0/0x130\n[  560.905259]  ? __kasan_check_write+0x14/0x20\n[  560.905599]  ? up_read+0x1a/0x90\n[  560.905853]  ? indx_read+0x22c/0x380\n[  560.906096]  indx_find+0x2ef/0x470\n[  560.906352]  ? indx_find_buffer+0x2d0/0x2d0\n[  560.906692]  ? __kasan_kmalloc+0x88/0xb0\n[  560.906977]  dir_search_u+0x196/0x2f0\n[  560.907220]  ? ntfs_nls_to_utf16+0x450/0x450\n[  560.907464]  ? __kasan_check_write+0x14/0x20\n[  560.907747]  ? mutex_lock+0x8f/0xe0\n[  560.907970]  ? __mutex_lock_slowpath+0x20/0x20\n[  560.908214]  ? kmem_cache_alloc+0x143/0x4b0\n[  560.908459]  ntfs_lookup+0xe0/0x100\n[  560.908788]  __lookup_slow+0x116/0x220\n[  560.909050]  ? lookup_fast+0x1b0/0x1b0\n[  560.909309]  ? lookup_fast+0x13f/0x1b0\n[  560.909601]  walk_component+0x187/0x230\n[  560.909944]  link_path_walk.part.0+0x3f0/0x660\n[  560.910285]  ? handle_lookup_down+0x90/0x90\n[  560.910618]  ? path_init+0x642/0x6e0\n[  560.911084]  ? percpu_counter_add_batch+0x6e/0xf0\n[  560.912559]  ? __alloc_file+0x114/0x170\n[  560.913008]  path_openat+0x19c/0x1d10\n[  560.913419]  ? getname_flags+0x73/0x2b0\n[  560.913815]  ? kasan_save_stack+0x3a/0x50\n[  560.914125]  ? kasan_save_stack+0x26/0x50\n[  560.914542]  ? __kasan_slab_alloc+0x6d/0x90\n[  560.914924]  ? kmem_cache_alloc+0x143/0x4b0\n[  560.915339]  ? getname_flags+0x73/0x2b0\n[  560.915647]  ? getname+0x12/0x20\n[  560.916114]  ? __x64_sys_open+0x4c/0x60\n[  560.916460]  ? path_lookupat.isra.0+0x230/0x230\n[  560.916867]  ? __isolate_free_page+0x2e0/0x2e0\n[  560.917194]  do_filp_open+0x15c/0x1f0\n[  560.917448]  ? may_open_dev+0x60/0x60\n[  560.917696]  ? expand_files+0xa4/0x3a0\n[  560.917923]  ? __kasan_check_write+0x14/0x20\n[  560.918185]  ? _raw_spin_lock+0x88/0xdb\n[  560.918409]  ? _raw_spin_lock_irqsave+0x100/0x100\n[  560.918783]  ? _find_next_bit+0x4a/0x130\n[  560.919026]  ? _raw_spin_unlock+0x19/0x40\n[  560.919276]  ? alloc_fd+0x14b/0x2d0\n[  560.919635]  do_sys_openat2+0x32a/0x4b0\n[  560.920035]  ? file_open_root+0x230/0x230\n[  560.920336]  ? __rcu_read_unlock+0x5b/0x280\n[  560.920813]  do_sys_open+0x99/0xf0\n[  560.921208]  ? filp_open+0x60/0x60\n[  560.921482]  ? exit_to_user_mode_prepare+0x49/0x180\n[  560.921867]  __x64_sys_open+0x4c/0x60\n[  560.922128]  do_syscall_64+0x3b/0x90\n[  560.922369]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[  560.923030] RIP: 0033:0x7f7dff2e4469\n[  560.923681] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088\n[  560.924451] RSP: 002b:00007ffd41a210b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000002\n[  560.925168] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7dff2e4469\n[  560.925655] RDX: 0000000000000000 RSI: 0000000000000002 RDI:\n---truncated---",
  "id": "GHSA-qqgg-499c-j47v",
  "modified": "2025-10-01T12:30:28Z",
  "published": "2025-10-01T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50442"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3cd9e5b41b83bb57ac3cf9888f9fef2a6ef8ed96"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3f6f75e8863f41c8b3dbfd9d99e3963aaca42601"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4d42ecda239cc13738d6fd84d098a32e67b368b9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b15374365c9d10445ea7d66cdf885457a0223fc2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.