Linux Kernel NTFS3 NULL Pointer Dereference Vulnerability in BOOT Record Size Validation

A vulnerability in the Linux kernel's NTFS3 file system handling can lead to a NULL pointer dereference when mounting a malformed NTFS image. This issue arises because the BOOT record's size field, when negative, is interpreted as a shift value. The current implementation lacks proper validation of this shift, leading to an incorrect calculation of the record bits. The flaw was introduced in version 5.19 and exists in several subsequent versions.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash. However, such NULL pointer dereferences can sometimes be exploited to execute arbitrary code under certain conditions.

Reproduction

To reproduce this vulnerability, mount a malformed NTFS image that exploits the BOOT record size validation flaw. This can be done by creating an NTFS image with a negative BOOT record size that triggers the vulnerability when the image is mounted.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.