Linux Kernel NTFS Use-After-Free Vulnerability in Attribute Handling

A use-after-free vulnerability has been identified in the Linux kernel's NTFS file system implementation, specifically within the attribute handling code. This vulnerability arises from improper bounds checking of attribute records, which can lead to out-of-bounds reads and memory corruption. The issue was reported by Syzkaller as a use-after-free bug in the 'ntfs_attr_find' function. The vulnerability exists in the NTFS file system's attribute management, where the kernel fails to validate the 'attrs_offset' field in the first Master File Table (MFT) record loaded from disk. If this field exceeds the allocated bytes, it can cause the kernel to access invalid memory, triggering a use-after-free condition. The vulnerability can be reproduced by mounting an NTFS file system with a crafted MFT record that exploits this oversight, leading to memory corruption and potential arbitrary code execution.

Impact

Exploitation of this vulnerability causes a use-after-free condition, leading to memory corruption. Such memory corruption can often be exploited to execute arbitrary code under certain conditions.

Reproduction

The vulnerability can be reproduced by mounting an NTFS file system that contains a crafted Master File Table (MFT) record. The MFT record should be designed to exploit the lack of proper bounds checking in the 'attrs_offset' field, causing the 'ntfs_attr_find' function to read out-of-bounds memory. This can be achieved by using a tool like Syzkaller, which can automate the process of finding and exploiting such vulnerabilities.

Remediation

Users should upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit addressing this issue can be found in the official Linux kernel Git repository.