Linux Kernel NTFS3 Circular Locking Dependency Vulnerability Allowing Deadlock

A circular locking dependency vulnerability has been identified in the Linux kernel's NTFS3 file system module, specifically within the 'run_unpack_ex' function. This vulnerability creates a deadlock scenario by causing a circular wait between two locks: 'ni->file.run_lock' and 'wnd->rw_lock' (associated with 'sbi->used.bitmap'). The deadlock occurs when 'ntfs_extend_mft' acquires 'ni->file.run_lock' before 'wnd->rw_lock', while 'run_unpack_ex' takes 'wnd->rw_lock' and then attempts to acquire 'ni->file.run_lock' again through 'ntfs_refresh_zone', leading to an AB-BA deadlock situation.

Impact

Exploitation of this vulnerability leads to a deadlock, causing the system to hang indefinitely as it waits for the locked resources to be released.

Reproduction

The vulnerability can be reproduced by creating a scenario where 'ntfs_extend_mft' and 'run_unpack_ex' are called in a way that causes them to acquire the locks in a conflicting order, thus creating the deadlock. This can be done by manipulating the NTFS3 file system operations to trigger the locking sequence that leads to the circular dependency.

Remediation

The vulnerability has been fixed by modifying 'run_unpack_ex' to use 'down_read_trylock' instead of 'down_read' when acquiring 'run_lock'. This change allows the function to skip 'ntfs_refresh_zone' if the lock is contested, preventing the deadlock. The fix is available in the Linux kernel stable tree.