Linux Kernel NTFS3 Journal Replay Vulnerability Allows Buffer Overflow

A vulnerability in the Linux kernel's NTFS3 file system handling can lead to a buffer overflow. The issue arises during journal replay, where the 'check_file_record' function validates the total record size but fails to properly validate the 'used' field. This oversight allows the 'used' value to be manipulated, potentially causing memory underflows. As a result, excessive amounts of data can be copied into a 4KB buffer, creating a significant risk. While exploitation requires a corrupted file system—an unlikely scenario—the vulnerability highlights the need for robust validation, especially during journal replay.

Impact

Exploitation of this vulnerability can lead to a buffer overflow, where excess data is copied into a smaller buffer than it can handle. This type of memory corruption can often be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by creating a corrupted NTFS file system that manipulates the 'used' field in a way that it becomes smaller than the offset of a validated attribute or larger than the record size. During the journal replay process, the 'check_file_record' function will fail to properly validate the 'used' value, allowing for a memory underflow. This can be done by crafting specific MFT (Master File Table) records that exploit the validation logic.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.