CVE-2022-50869

Vulnerability

Overview

The vulnerability resides in the NTFS3 filesystem driver (fs/ntfs3) in the Linux kernel. When the system's PAGE_SIZE is configured as 64 KB, a flaw in the read_log_page function can lead to a slab-out-of-bounds write. Specifically, during the initial call to log_read_rst, the allocated buffer (*buffer) is sized to DefaultLogPageSize (4 KB). However, the subsequent memory operations, such as memcpy in ntfs_read_run_nb, may attempt to copy beyond that 4 KB boundary when the actual log page size (log->page_size, 64 KB) or the total bytes to read exceeds the smaller buffer [1][2].

Exploitation

Prerequisites

The issue is triggered during filesystem mount, specifically within the log replay sequence (ntfs_loadlog_and_replay -> log_replay -> log_read_rst -> read_log_page). No special user privileges are required beyond the ability to mount a crafted NTFS3 filesystem image. The attacker must convince a target system to mount a maliciously prepared NTFS volume, which can occur through removable media, network filesystem mounts, or other vectors [2].

Impact

A successful exploit results in a slab-out-of-bounds write, which manifests as memory corruption. This can lead to system instability, denial of service (kernel panic), or potentially arbitrary code execution in kernel space, given the nature of the write primitive. The KASAN report confirms the out-of-bound access occurs via memcpy during read operations [1].

Mitigation

The fix, introduced via commits in the stable kernel tree, sets the variable r_page to NULL within log_read_rst to ensure proper reallocation or handling of the buffer size mismatch [1][2]. Users should apply the latest kernel updates from their distribution that include this patch. No workaround is available short of disabling the NTFS3 driver or avoiding the mounting of untrusted NTFS volumes.