Linux Kernel NTFS3 Subsystem Slab-Out-Of-Bounds Vulnerability

A slab-out-of-bounds vulnerability has been identified in the NTFS3 subsystem of the Linux kernel. This issue occurs when the page size is set to 64K. During the first call of 'read_log_page' by 'log_read_rst', the buffer size is initialized to 4K. However, if the actual log page size is 64K, this discrepancy leads to a buffer overflow when 'memcpy' attempts to copy data, causing an out-of-bounds memory access. The vulnerability has been addressed by modifying the 'log_read_rst' function to initialize the 'r_page' variable to NULL, preventing the out-of-bounds access.

Impact

Exploitation of this vulnerability leads to a slab-out-of-bounds condition, which can potentially be exploited to cause a use-after-free or write-what-where vulnerability.

Reproduction

To reproduce this vulnerability, set the page size to 64K and call the 'read_log_page' function from 'log_read_rst' for the first time. The 'read_log_page' function will then attempt to copy data into a buffer that is incorrectly sized, leading to a slab-out-of-bounds condition.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux kernel stable tree to address this vulnerability.