ghsa-p4wm-h3cj-5rh8
Vulnerability from github
Published
2025-12-30 15:30
Modified
2025-12-30 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode'

Syzbot found the following issue: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000016 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000 [0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : is_rec_inuse fs/ntfs3/ntfs.h:313 [inline] pc : ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232 lr : ni_write_inode+0xa0/0x798 fs/ntfs3/frecord.c:3226 sp : ffff8000126c3800 x29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000 x26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000 x23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000 x20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0 x17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500 x14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500 x11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500 x8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: is_rec_inuse fs/ntfs3/ntfs.h:313 [inline] ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232 ntfs_evict_inode+0x54/0x84 fs/ntfs3/inode.c:1744 evict+0xec/0x334 fs/inode.c:665 iput_final fs/inode.c:1748 [inline] iput+0x2c4/0x324 fs/inode.c:1774 ntfs_new_inode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660 ntfs_create_inode+0x20c/0xe78 fs/ntfs3/inode.c:1278 ntfs_create+0x54/0x74 fs/ntfs3/namei.c:100 lookup_open fs/namei.c:3413 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x804/0x11c4 fs/namei.c:3688 do_filp_open+0xdc/0x1b8 fs/namei.c:3718 do_sys_openat2+0xb8/0x22c fs/open.c:1311 do_sys_open fs/open.c:1327 [inline] __do_sys_openat fs/open.c:1343 [inline] __se_sys_openat fs/open.c:1338 [inline] __arm64_sys_openat+0xb0/0xe0 fs/open.c:1338 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall arch/arm64/kernel/syscall.c:52 [inline] el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654 el0t_64_sync+0x18c/0x190 Code: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14) ---[ end trace 0000000000000000 ]---

Above issue may happens as follows: ntfs_new_inode mi_init mi->mrec = kmalloc(sbi->record_size, GFP_NOFS); -->failed to allocate memory if (!mi->mrec) return -ENOMEM; iput iput_final evict ntfs_evict_inode ni_write_inode is_rec_inuse(ni->mi.mrec)-> As 'ni->mi.mrec' is NULL trigger NULL-ptr-deref

To solve above issue if new inode failed make inode bad before call 'iput()' in 'ntfs_new_inode()'.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-54196"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T13:16:07Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix NULL pointer dereference in \u0027ni_write_inode\u0027\n\nSyzbot found the following issue:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000016\nMem abort info:\n  ESR = 0x0000000096000006\n  EC = 0x25: DABT (current EL), IL = 32 bits\n  SET = 0, FnV = 0\n  EA = 0, S1PTW = 0\n  FSC = 0x06: level 2 translation fault\nData abort info:\n  ISV = 0, ISS = 0x00000006\n  CM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000\n[0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000\nInternal error: Oops: 0000000096000006 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : is_rec_inuse fs/ntfs3/ntfs.h:313 [inline]\npc : ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232\nlr : ni_write_inode+0xa0/0x798 fs/ntfs3/frecord.c:3226\nsp : ffff8000126c3800\nx29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000\nx26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000\nx23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000\nx20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0\nx17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500\nx14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500\nx11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500\nx8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000\nCall trace:\n is_rec_inuse fs/ntfs3/ntfs.h:313 [inline]\n ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232\n ntfs_evict_inode+0x54/0x84 fs/ntfs3/inode.c:1744\n evict+0xec/0x334 fs/inode.c:665\n iput_final fs/inode.c:1748 [inline]\n iput+0x2c4/0x324 fs/inode.c:1774\n ntfs_new_inode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660\n ntfs_create_inode+0x20c/0xe78 fs/ntfs3/inode.c:1278\n ntfs_create+0x54/0x74 fs/ntfs3/namei.c:100\n lookup_open fs/namei.c:3413 [inline]\n open_last_lookups fs/namei.c:3481 [inline]\n path_openat+0x804/0x11c4 fs/namei.c:3688\n do_filp_open+0xdc/0x1b8 fs/namei.c:3718\n do_sys_openat2+0xb8/0x22c fs/open.c:1311\n do_sys_open fs/open.c:1327 [inline]\n __do_sys_openat fs/open.c:1343 [inline]\n __se_sys_openat fs/open.c:1338 [inline]\n __arm64_sys_openat+0xb0/0xe0 fs/open.c:1338\n __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]\n el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142\n do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206\n el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636\n el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654\n el0t_64_sync+0x18c/0x190\nCode: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14)\n---[ end trace 0000000000000000 ]---\n\nAbove issue may happens as follows:\nntfs_new_inode\n  mi_init\n    mi-\u003emrec = kmalloc(sbi-\u003erecord_size, GFP_NOFS); --\u003efailed to allocate memory\n      if (!mi-\u003emrec)\n        return -ENOMEM;\niput\n  iput_final\n    evict\n      ntfs_evict_inode\n        ni_write_inode\n\t  is_rec_inuse(ni-\u003emi.mrec)-\u003e As \u0027ni-\u003emi.mrec\u0027 is NULL trigger NULL-ptr-deref\n\nTo solve above issue if new inode failed make inode bad before call \u0027iput()\u0027 in\n\u0027ntfs_new_inode()\u0027.",
  "id": "GHSA-p4wm-h3cj-5rh8",
  "modified": "2025-12-30T15:30:31Z",
  "published": "2025-12-30T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54196"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1c5cffe0d662fb2de7b63176c2582abb69b5f538"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/329fc4d3f73d865b25f2ee4eafafb040ace37ad5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d3d3283e6b4fb3f3ee05dac30ee1461930b8103"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/db2a3cc6a3481076da6344cc62a80a4e2525f36f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.