Linux Kernel NTFS3 Filesystem Infinite Loop Vulnerability Leading to Denial-of-Service

A vulnerability in the Linux kernel's NTFS3 filesystem can cause an infinite loop, leading to a denial-of-service condition. This issue arises during lookup operations when a malformed dentry is present. An attacker can exploit this by setting the HAS_SUB_NODE flag in an INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the VCN pointer. This causes the indx_find() function to repeatedly read the same block, each time allocating 4 KB of memory. The kernel does not have VCN loop detection or depth limits, resulting in memory exhaustion and an out-of-memory crash.

Impact

Exploitation of this vulnerability causes the kernel to hang during lookup operations, leading to memory exhaustion and an out-of-memory crash.

Reproduction

To reproduce this vulnerability, create a malformed dentry in the NTFS3 filesystem by setting the HAS_SUB_NODE flag in an INDEX_ENTRY within a directory's INDEX_ALLOCATION block. Manipulate the VCN pointer to cause the indx_find() function to repeatedly read the same block, allocating memory each time. This will create an infinite loop that exhausts available memory, causing the system to crash.

Remediation

The vulnerability has been addressed in a patch that adds a return value check for the fnd_push() function, preventing the memory exhaustion issue caused by infinite loops. This patch is available in the Linux kernel stable tree.