{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-49763", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:17:33.804Z", "datePublished": "2025-05-01T14:09:03.607Z", "dateUpdated": "2026-05-11T19:06:18.646Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:06:18.646Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: fix use-after-free in ntfs_attr_find()\n\nPatch series \"ntfs: fix bugs about Attribute\", v2.\n\nThis patchset fixes three bugs relative to Attribute in record:\n\nPatch 1 adds a sanity check to ensure that, attrs_offset field in first\nmft record loading from disk is within bounds.\n\nPatch 2 moves the ATTR_RECORD's bounds checking earlier, to avoid\ndereferencing ATTR_RECORD before checking this ATTR_RECORD is within\nbounds.\n\nPatch 3 adds an overflow checking to avoid possible forever loop in\nntfs_attr_find().\n\nWithout patch 1 and patch 2, the kernel triggersa KASAN use-after-free\ndetection as reported by Syzkaller.\n\nAlthough one of patch 1 or patch 2 can fix this, we still need both of\nthem. Because patch 1 fixes the root cause, and patch 2 not only fixes\nthe direct cause, but also fixes the potential out-of-bounds bug.\n\n\nThis patch (of 3):\n\nSyzkaller reported use-after-free read as follows:\n==================================================================\nBUG: KASAN: use-after-free in ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597\nRead of size 2 at addr ffff88807e352009 by task syz-executor153/3607\n\n[...]\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:317 [inline]\n print_report.cold+0x2ba/0x719 mm/kasan/report.c:433\n kasan_report+0xb1/0x1e0 mm/kasan/report.c:495\n ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597\n ntfs_attr_lookup+0x1056/0x2070 fs/ntfs/attrib.c:1193\n ntfs_read_inode_mount+0x89a/0x2580 fs/ntfs/inode.c:1845\n ntfs_fill_super+0x1799/0x9320 fs/ntfs/super.c:2854\n mount_bdev+0x34d/0x410 fs/super.c:1400\n legacy_get_tree+0x105/0x220 fs/fs_context.c:610\n vfs_get_tree+0x89/0x2f0 fs/super.c:1530\n do_new_mount fs/namespace.c:3040 [inline]\n path_mount+0x1326/0x1e20 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n [...]\n </TASK>\n\nThe buggy address belongs to the physical page:\npage:ffffea0001f8d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e350\nhead:ffffea0001f8d400 order:3 compound_mapcount:0 compound_pincount:0\nflags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011842140\nraw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\n ffff88807e351f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff88807e351f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n>ffff88807e352000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff88807e352080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff88807e352100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\n\nKernel will loads $MFT/$DATA's first mft record in\nntfs_read_inode_mount().\n\nYet the problem is that after loading, kernel doesn't check whether\nattrs_offset field is a valid value.\n\nTo be more specific, if attrs_offset field is larger than bytes_allocated\nfield, then it may trigger the out-of-bounds read bug(reported as\nuse-after-free bug) in ntfs_attr_find(), when kernel tries to access the\ncorresponding mft record's attribute.\n\nThis patch solves it by adding the sanity check between attrs_offset field\nand bytes_allocated field, after loading the first mft record."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ntfs/inode.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "79f3ac7dcd12c05b7539239a4c6fa229a50d786c", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "fb2004bafd1932e08d21ca604ee5844f2b7f212d", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "d0006d739738a658a9c29b438444259d9f71dfa0", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "266bd5306286316758e6246ea0345133427b0f62", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "b825bfbbaafbe8da2037e3a778ad660c59f9e054", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "5330c423b86263ac7883fef0260b9e2229cb531e", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "4863f815463034f588a035cfd99cdca97a4f1069", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "d85a1bec8e8d552ab13163ca1874dcd82f3d1550", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ntfs/inode.c"], "versions": [{"version": "2.6.12", "status": "affected"}, {"version": "0", "lessThan": "2.6.12", "status": "unaffected", "versionType": "semver"}, {"version": "4.9.334", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.300", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.267", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.225", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.156", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.80", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.10", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "4.9.334"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "4.14.300"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "4.19.267"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "5.4.225"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "5.10.156"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "5.15.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.0.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/79f3ac7dcd12c05b7539239a4c6fa229a50d786c"}, {"url": "https://git.kernel.org/stable/c/fb2004bafd1932e08d21ca604ee5844f2b7f212d"}, {"url": "https://git.kernel.org/stable/c/d0006d739738a658a9c29b438444259d9f71dfa0"}, {"url": "https://git.kernel.org/stable/c/266bd5306286316758e6246ea0345133427b0f62"}, {"url": "https://git.kernel.org/stable/c/b825bfbbaafbe8da2037e3a778ad660c59f9e054"}, {"url": "https://git.kernel.org/stable/c/5330c423b86263ac7883fef0260b9e2229cb531e"}, {"url": "https://git.kernel.org/stable/c/4863f815463034f588a035cfd99cdca97a4f1069"}, {"url": "https://git.kernel.org/stable/c/d85a1bec8e8d552ab13163ca1874dcd82f3d1550"}], "title": "ntfs: fix use-after-free in ntfs_attr_find()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "65416FEB-3A76-4DA9-A96A-1479EC77AFB6", "versionEndExcluding": "4.9.334", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "424802D2-E9E7-48A9-AD6F-DF2227B3D83A", "versionEndExcluding": "4.14.300", "versionStartIncluding": "4.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5C69A12-68E2-400E-9A5A-375A673C8402", "versionEndExcluding": "4.19.267", "versionStartIncluding": "4.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "94D21814-3051-4860-AB06-C7880A3D4933", "versionEndExcluding": "5.4.225", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2152F3D-E6D3-405D-B0BE-911B8B6E2EE6", "versionEndExcluding": "5.10.156", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "51BBEF3B-79F5-4D4C-ADBA-F34DA0E2465C", "versionEndExcluding": "5.15.80", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "64F9ADD1-3ADB-4D66-A00F-4A83010B05F0", "versionEndExcluding": "6.0.10", "versionStartIncluding": "5.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: fix use-after-free in ntfs_attr_find()\n\nPatch series \"ntfs: fix bugs about Attribute\", v2.\n\nThis patchset fixes three bugs relative to Attribute in record:\n\nPatch 1 adds a sanity check to ensure that, attrs_offset field in first\nmft record loading from disk is within bounds.\n\nPatch 2 moves the ATTR_RECORD's bounds checking earlier, to avoid\ndereferencing ATTR_RECORD before checking this ATTR_RECORD is within\nbounds.\n\nPatch 3 adds an overflow checking to avoid possible forever loop in\nntfs_attr_find().\n\nWithout patch 1 and patch 2, the kernel triggersa KASAN use-after-free\ndetection as reported by Syzkaller.\n\nAlthough one of patch 1 or patch 2 can fix this, we still need both of\nthem. Because patch 1 fixes the root cause, and patch 2 not only fixes\nthe direct cause, but also fixes the potential out-of-bounds bug.\n\n\nThis patch (of 3):\n\nSyzkaller reported use-after-free read as follows:\n==================================================================\nBUG: KASAN: use-after-free in ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597\nRead of size 2 at addr ffff88807e352009 by task syz-executor153/3607\n\n[...]\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:317 [inline]\n print_report.cold+0x2ba/0x719 mm/kasan/report.c:433\n kasan_report+0xb1/0x1e0 mm/kasan/report.c:495\n ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597\n ntfs_attr_lookup+0x1056/0x2070 fs/ntfs/attrib.c:1193\n ntfs_read_inode_mount+0x89a/0x2580 fs/ntfs/inode.c:1845\n ntfs_fill_super+0x1799/0x9320 fs/ntfs/super.c:2854\n mount_bdev+0x34d/0x410 fs/super.c:1400\n legacy_get_tree+0x105/0x220 fs/fs_context.c:610\n vfs_get_tree+0x89/0x2f0 fs/super.c:1530\n do_new_mount fs/namespace.c:3040 [inline]\n path_mount+0x1326/0x1e20 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n [...]\n </TASK>\n\nThe buggy address belongs to the physical page:\npage:ffffea0001f8d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e350\nhead:ffffea0001f8d400 order:3 compound_mapcount:0 compound_pincount:0\nflags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011842140\nraw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\n ffff88807e351f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff88807e351f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n>ffff88807e352000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff88807e352080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff88807e352100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\n\nKernel will loads $MFT/$DATA's first mft record in\nntfs_read_inode_mount().\n\nYet the problem is that after loading, kernel doesn't check whether\nattrs_offset field is a valid value.\n\nTo be more specific, if attrs_offset field is larger than bytes_allocated\nfield, then it may trigger the out-of-bounds read bug(reported as\nuse-after-free bug) in ntfs_attr_find(), when kernel tries to access the\ncorresponding mft record's attribute.\n\nThis patch solves it by adding the sanity check between attrs_offset field\nand bytes_allocated field, after loading the first mft record."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ntfs: correcci\u00f3n del use-after-free en ntfs_attr_find(). Serie de parches \"ntfs: correcci\u00f3n de errores sobre el atributo\", v2. Este conjunto de parches corrige tres errores relacionados con el atributo en el registro: el parche 1 a\u00f1ade una comprobaci\u00f3n de seguridad para garantizar que el campo attrs_offset en la primera carga de registro MFT desde el disco est\u00e9 dentro de los l\u00edmites. El parche 2 adelanta la comprobaci\u00f3n de los l\u00edmites de ATTR_RECORD para evitar desreferenciarlo antes de comprobar que est\u00e9 dentro de los l\u00edmites. El parche 3 a\u00f1ade una comprobaci\u00f3n de desbordamiento para evitar un posible bucle infinito en ntfs_attr_find(). Sin los parches 1 y 2, el kernel activa la detecci\u00f3n de use-after-free de KASAN, seg\u00fan lo informado por Syzkaller. Aunque uno de los parches 1 o 2 puede solucionar esto, a\u00fan necesitamos ambos. Porque el parche 1 corrige la causa ra\u00edz, y el parche 2 no solo corrige la causa directa, sino que tambi\u00e9n corrige el posible error fuera de los l\u00edmites. Este parche (de 3): Syzkaller inform\u00f3 una lectura de use-after-free de la siguiente manera: ====================================================================== ERROR: KASAN: use-after-free en ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597 Lectura de tama\u00f1o 2 en la direcci\u00f3n ffff88807e352009 por la tarea syz-executor153/3607 [...] Rastreo de llamadas: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597 ntfs_attr_lookup+0x1056/0x2070 fs/ntfs/attrib.c:1193 ntfs_read_inode_mount+0x89a/0x2580 fs/ntfs/inode.c:1845 ntfs_fill_super+0x1799/0x9320 fs/ntfs/super.c:2854 mount_bdev+0x34d/0x410 fs/super.c:1400 legacy_get_tree+0x105/0x220 fs/fs_context.c:610 vfs_get_tree+0x89/0x2f0 fs/super.c:1530 do_new_mount fs/namespace.c:3040 [inline] path_mount+0x1326/0x1e20 fs/namespace.c:3370 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] La direcci\u00f3n con errores pertenece a la p\u00e1gina f\u00edsica: page:ffffea0001f8d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e350 head:ffffea0001f8d400 order:3 Compound_mapcount:0 Compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 muerto000000000122 ffff888011842140 raw: 00000000000000000 0000000000040004 00000001ffffffff 0000000000000000 p\u00e1gina volcada porque: kasan: mal acceso detectado Estado de la memoria alrededor de la direcci\u00f3n con errores: ffff88807e351f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88807e351f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc &gt;ffff88807e352000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807e352080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807e352100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ====================================================================== El n\u00facleo cargar\u00e1 el primer registro mft de $MFT/$DATA en ntfs_read_inode_mount(). Sin embargo, el problema radica en que, tras la carga, el kernel no comprueba si el campo attrs_offset es un valor v\u00e1lido. M\u00e1s espec\u00edficamente, si el campo attrs_offset es mayor que el campo bytes_allocated, podr\u00eda activarse el error de lectura fuera de los l\u00edmites (reportado como error de use-after-free) en ntfs_attr_find() cuando el kernel intenta acceder al atributo del registro MFT correspondiente. Este parche lo soluciona a\u00f1adiendo la comprobaci\u00f3n de validez entre los campos attrs_offset y bytes_allocated tras cargar el primer registro MFT."}], "id": "CVE-2022-49763", "lastModified": "2025-11-06T21:59:01.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-01T15:15:59.047", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/266bd5306286316758e6246ea0345133427b0f62"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4863f815463034f588a035cfd99cdca97a4f1069"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5330c423b86263ac7883fef0260b9e2229cb531e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/79f3ac7dcd12c05b7539239a4c6fa229a50d786c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b825bfbbaafbe8da2037e3a778ad660c59f9e054"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d0006d739738a658a9c29b438444259d9f71dfa0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d85a1bec8e8d552ab13163ca1874dcd82f3d1550"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fb2004bafd1932e08d21ca604ee5844f2b7f212d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ntfs: fix use-after-free in ntfs_attr_find()", "id": "2363372", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363372"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nntfs: fix use-after-free in ntfs_attr_find()\nPatch series \"ntfs: fix bugs about Attribute\", v2.\nThis patchset fixes three bugs relative to Attribute in record:\nPatch 1 adds a sanity check to ensure that, attrs_offset field in first\nmft record loading from disk is within bounds.\nPatch 2 moves the ATTR_RECORD's bounds checking earlier, to avoid\ndereferencing ATTR_RECORD before checking this ATTR_RECORD is within\nbounds.\nPatch 3 adds an overflow checking to avoid possible forever loop in\nntfs_attr_find().\nWithout patch 1 and patch 2, the kernel triggersa KASAN use-after-free\ndetection as reported by Syzkaller.\nAlthough one of patch 1 or patch 2 can fix this, we still need both of\nthem. Because patch 1 fixes the root cause, and patch 2 not only fixes\nthe direct cause, but also fixes the potential out-of-bounds bug.\nThis patch (of 3):\nSyzkaller reported use-after-free read as follows:\n==================================================================\nBUG: KASAN: use-after-free in ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597\nRead of size 2 at addr ffff88807e352009 by task syz-executor153/3607\n[...]\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:317 [inline]\nprint_report.cold+0x2ba/0x719 mm/kasan/report.c:433\nkasan_report+0xb1/0x1e0 mm/kasan/report.c:495\nntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597\nntfs_attr_lookup+0x1056/0x2070 fs/ntfs/attrib.c:1193\nntfs_read_inode_mount+0x89a/0x2580 fs/ntfs/inode.c:1845\nntfs_fill_super+0x1799/0x9320 fs/ntfs/super.c:2854\nmount_bdev+0x34d/0x410 fs/super.c:1400\nlegacy_get_tree+0x105/0x220 fs/fs_context.c:610\nvfs_get_tree+0x89/0x2f0 fs/super.c:1530\ndo_new_mount fs/namespace.c:3040 [inline]\npath_mount+0x1326/0x1e20 fs/namespace.c:3370\ndo_mount fs/namespace.c:3383 [inline]\n__do_sys_mount fs/namespace.c:3591 [inline]\n__se_sys_mount fs/namespace.c:3568 [inline]\n__x64_sys_mount+0x27f/0x300 fs/namespace.c:3568\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...]\n</TASK>\nThe buggy address belongs to the physical page:\npage:ffffea0001f8d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e350\nhead:ffffea0001f8d400 order:3 compound_mapcount:0 compound_pincount:0\nflags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011842140\nraw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\nffff88807e351f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\nffff88807e351f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n>ffff88807e352000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n^\nffff88807e352080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\nffff88807e352100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\nKernel will loads $MFT/$DATA's first mft record in\nntfs_read_inode_mount().\nYet the problem is that after loading, kernel doesn't check whether\nattrs_offset field is a valid value.\nTo be more specific, if attrs_offset field is larger than bytes_allocated\nfield, then it may trigger the out-of-bounds read bug(reported as\nuse-after-free bug) in ntfs_attr_find(), when kernel tries to access the\ncorresponding mft record's attribute.\nThis patch solves it by adding the sanity check between attrs_offset field\nand bytes_allocated field, after loading the first mft record."], "name": "CVE-2022-49763", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49763\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49763\nhttps://lore.kernel.org/linux-cve-announce/2025050113-CVE-2022-49763-3556@gregkh/T"], "threat_severity": "Moderate"}

{}