Linux Kernel NTFS3 NULL Pointer Dereference Vulnerability in Attribute List Handling

A vulnerability in the Linux kernel's NTFS3 file system implementation has been addressed. The issue involved improper error handling in the 'ni_create_attr_list' function, which led to a NULL pointer dereference. This vulnerability was introduced by a previous commit that replaced adequate error management with 'WARN_ON' statements, which only provided stack traces without effectively addressing the errors. The NULL pointer dereference occurred when the function attempted to access a non-existent page, causing a kernel panic. The vulnerability could be triggered by manipulating extended attributes on an NTFS3 file system, particularly by using the 'setxattr' system call. The issue affects Linux kernel versions through 6.2.0-rc1.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash of the affected system.

Reproduction

The vulnerability can be reproduced by creating a scenario where the 'ni_create_attr_list' function is called with a 'ntfs_inode' that has invalid or corrupted attribute data. This can be done by manipulating the NTFS file system to introduce errors in the attribute list, then using the 'setxattr' system call to trigger the 'ni_create_attr_list' function. The kernel will then attempt to process the corrupted attribute data, leading to a NULL pointer dereference and a system crash.

Remediation

Users can upgrade to Linux kernel versions 6.2.0-rc1 and later, where this vulnerability has been fixed.