Linux Kernel NTFS3 Index Root Length Check Vulnerability Allowing Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's NTFS3 file system implementation. This issue arises in the 'indx_get_root' function, where an index root is retrieved without proper length validation. The vulnerability was exposed during a mount operation, leading to a read of freed memory. The problem has been addressed by adding a length check to ensure the integrity of the retrieved index root. The vulnerability was present in Linux kernel version 6.0.0-rc7.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where the system attempts to access memory that has already been freed. This can potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by mounting an NTFS file system using a Linux kernel version prior to the patch. During the mount process, the 'indx_get_root' function is called, which retrieves the index root without performing a length check. This oversight allows for a use-after-free condition to occur, as the function reads from a memory address that has already been freed, leading to a KASAN (Kernel Address Sanitizer) report of bad memory access.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading the Linux kernel can be found in the official Linux documentation or through the package management system of the Linux distribution in use.