CVE-2023-54196 (GCVE-0-2023-54196)
Vulnerability from cvelistv5
Published
2025-12-30 12:09
Modified
2025-12-30 12:09
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode' Syzbot found the following issue: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000016 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000 [0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : is_rec_inuse fs/ntfs3/ntfs.h:313 [inline] pc : ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232 lr : ni_write_inode+0xa0/0x798 fs/ntfs3/frecord.c:3226 sp : ffff8000126c3800 x29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000 x26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000 x23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000 x20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0 x17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500 x14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500 x11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500 x8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: is_rec_inuse fs/ntfs3/ntfs.h:313 [inline] ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232 ntfs_evict_inode+0x54/0x84 fs/ntfs3/inode.c:1744 evict+0xec/0x334 fs/inode.c:665 iput_final fs/inode.c:1748 [inline] iput+0x2c4/0x324 fs/inode.c:1774 ntfs_new_inode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660 ntfs_create_inode+0x20c/0xe78 fs/ntfs3/inode.c:1278 ntfs_create+0x54/0x74 fs/ntfs3/namei.c:100 lookup_open fs/namei.c:3413 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x804/0x11c4 fs/namei.c:3688 do_filp_open+0xdc/0x1b8 fs/namei.c:3718 do_sys_openat2+0xb8/0x22c fs/open.c:1311 do_sys_open fs/open.c:1327 [inline] __do_sys_openat fs/open.c:1343 [inline] __se_sys_openat fs/open.c:1338 [inline] __arm64_sys_openat+0xb0/0xe0 fs/open.c:1338 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall arch/arm64/kernel/syscall.c:52 [inline] el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654 el0t_64_sync+0x18c/0x190 Code: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14) ---[ end trace 0000000000000000 ]--- Above issue may happens as follows: ntfs_new_inode mi_init mi->mrec = kmalloc(sbi->record_size, GFP_NOFS); -->failed to allocate memory if (!mi->mrec) return -ENOMEM; iput iput_final evict ntfs_evict_inode ni_write_inode is_rec_inuse(ni->mi.mrec)-> As 'ni->mi.mrec' is NULL trigger NULL-ptr-deref To solve above issue if new inode failed make inode bad before call 'iput()' in 'ntfs_new_inode()'.
References
Impacted products
Vendor Product Version
Linux Linux Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/fsntfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6d3d3283e6b4fb3f3ee05dac30ee1461930b8103",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "329fc4d3f73d865b25f2ee4eafafb040ace37ad5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1c5cffe0d662fb2de7b63176c2582abb69b5f538",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "db2a3cc6a3481076da6344cc62a80a4e2525f36f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/fsntfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.3.*",
              "status": "unaffected",
              "version": "6.3.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.113",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.81",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix NULL pointer dereference in \u0027ni_write_inode\u0027\n\nSyzbot found the following issue:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000016\nMem abort info:\n  ESR = 0x0000000096000006\n  EC = 0x25: DABT (current EL), IL = 32 bits\n  SET = 0, FnV = 0\n  EA = 0, S1PTW = 0\n  FSC = 0x06: level 2 translation fault\nData abort info:\n  ISV = 0, ISS = 0x00000006\n  CM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000\n[0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000\nInternal error: Oops: 0000000096000006 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : is_rec_inuse fs/ntfs3/ntfs.h:313 [inline]\npc : ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232\nlr : ni_write_inode+0xa0/0x798 fs/ntfs3/frecord.c:3226\nsp : ffff8000126c3800\nx29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000\nx26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000\nx23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000\nx20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0\nx17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500\nx14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500\nx11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500\nx8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000\nCall trace:\n is_rec_inuse fs/ntfs3/ntfs.h:313 [inline]\n ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232\n ntfs_evict_inode+0x54/0x84 fs/ntfs3/inode.c:1744\n evict+0xec/0x334 fs/inode.c:665\n iput_final fs/inode.c:1748 [inline]\n iput+0x2c4/0x324 fs/inode.c:1774\n ntfs_new_inode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660\n ntfs_create_inode+0x20c/0xe78 fs/ntfs3/inode.c:1278\n ntfs_create+0x54/0x74 fs/ntfs3/namei.c:100\n lookup_open fs/namei.c:3413 [inline]\n open_last_lookups fs/namei.c:3481 [inline]\n path_openat+0x804/0x11c4 fs/namei.c:3688\n do_filp_open+0xdc/0x1b8 fs/namei.c:3718\n do_sys_openat2+0xb8/0x22c fs/open.c:1311\n do_sys_open fs/open.c:1327 [inline]\n __do_sys_openat fs/open.c:1343 [inline]\n __se_sys_openat fs/open.c:1338 [inline]\n __arm64_sys_openat+0xb0/0xe0 fs/open.c:1338\n __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]\n el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142\n do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206\n el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636\n el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654\n el0t_64_sync+0x18c/0x190\nCode: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14)\n---[ end trace 0000000000000000 ]---\n\nAbove issue may happens as follows:\nntfs_new_inode\n  mi_init\n    mi-\u003emrec = kmalloc(sbi-\u003erecord_size, GFP_NOFS); --\u003efailed to allocate memory\n      if (!mi-\u003emrec)\n        return -ENOMEM;\niput\n  iput_final\n    evict\n      ntfs_evict_inode\n        ni_write_inode\n\t  is_rec_inuse(ni-\u003emi.mrec)-\u003e As \u0027ni-\u003emi.mrec\u0027 is NULL trigger NULL-ptr-deref\n\nTo solve above issue if new inode failed make inode bad before call \u0027iput()\u0027 in\n\u0027ntfs_new_inode()\u0027."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:09:02.801Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6d3d3283e6b4fb3f3ee05dac30ee1461930b8103"
        },
        {
          "url": "https://git.kernel.org/stable/c/329fc4d3f73d865b25f2ee4eafafb040ace37ad5"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c5cffe0d662fb2de7b63176c2582abb69b5f538"
        },
        {
          "url": "https://git.kernel.org/stable/c/db2a3cc6a3481076da6344cc62a80a4e2525f36f"
        }
      ],
      "title": "fs/ntfs3: Fix NULL pointer dereference in \u0027ni_write_inode\u0027",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54196",
    "datePublished": "2025-12-30T12:09:02.801Z",
    "dateReserved": "2025-12-30T12:06:44.498Z",
    "dateUpdated": "2025-12-30T12:09:02.801Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-54196\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:16:07.653\",\"lastModified\":\"2025-12-30T13:16:07.653\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/ntfs3: Fix NULL pointer dereference in \u0027ni_write_inode\u0027\\n\\nSyzbot found the following issue:\\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000016\\nMem abort info:\\n  ESR = 0x0000000096000006\\n  EC = 0x25: DABT (current EL), IL = 32 bits\\n  SET = 0, FnV = 0\\n  EA = 0, S1PTW = 0\\n  FSC = 0x06: level 2 translation fault\\nData abort info:\\n  ISV = 0, ISS = 0x00000006\\n  CM = 0, WnR = 0\\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000\\n[0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000\\nInternal error: Oops: 0000000096000006 [#1] PREEMPT SMP\\nModules linked in:\\nCPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022\\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\npc : is_rec_inuse fs/ntfs3/ntfs.h:313 [inline]\\npc : ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232\\nlr : ni_write_inode+0xa0/0x798 fs/ntfs3/frecord.c:3226\\nsp : ffff8000126c3800\\nx29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000\\nx26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000\\nx23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000\\nx20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0\\nx17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500\\nx14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500\\nx11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500\\nx8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000\\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\\nx2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000\\nCall trace:\\n is_rec_inuse fs/ntfs3/ntfs.h:313 [inline]\\n ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232\\n ntfs_evict_inode+0x54/0x84 fs/ntfs3/inode.c:1744\\n evict+0xec/0x334 fs/inode.c:665\\n iput_final fs/inode.c:1748 [inline]\\n iput+0x2c4/0x324 fs/inode.c:1774\\n ntfs_new_inode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660\\n ntfs_create_inode+0x20c/0xe78 fs/ntfs3/inode.c:1278\\n ntfs_create+0x54/0x74 fs/ntfs3/namei.c:100\\n lookup_open fs/namei.c:3413 [inline]\\n open_last_lookups fs/namei.c:3481 [inline]\\n path_openat+0x804/0x11c4 fs/namei.c:3688\\n do_filp_open+0xdc/0x1b8 fs/namei.c:3718\\n do_sys_openat2+0xb8/0x22c fs/open.c:1311\\n do_sys_open fs/open.c:1327 [inline]\\n __do_sys_openat fs/open.c:1343 [inline]\\n __se_sys_openat fs/open.c:1338 [inline]\\n __arm64_sys_openat+0xb0/0xe0 fs/open.c:1338\\n __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\\n invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]\\n el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142\\n do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206\\n el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636\\n el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654\\n el0t_64_sync+0x18c/0x190\\nCode: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14)\\n---[ end trace 0000000000000000 ]---\\n\\nAbove issue may happens as follows:\\nntfs_new_inode\\n  mi_init\\n    mi-\u003emrec = kmalloc(sbi-\u003erecord_size, GFP_NOFS); --\u003efailed to allocate memory\\n      if (!mi-\u003emrec)\\n        return -ENOMEM;\\niput\\n  iput_final\\n    evict\\n      ntfs_evict_inode\\n        ni_write_inode\\n\\t  is_rec_inuse(ni-\u003emi.mrec)-\u003e As \u0027ni-\u003emi.mrec\u0027 is NULL trigger NULL-ptr-deref\\n\\nTo solve above issue if new inode failed make inode bad before call \u0027iput()\u0027 in\\n\u0027ntfs_new_inode()\u0027.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1c5cffe0d662fb2de7b63176c2582abb69b5f538\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/329fc4d3f73d865b25f2ee4eafafb040ace37ad5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6d3d3283e6b4fb3f3ee05dac30ee1461930b8103\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/db2a3cc6a3481076da6344cc62a80a4e2525f36f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.