CVE-2023-54125 (GCVE-0-2023-54125)

Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
Title
fs/ntfs3: Return error for inconsistent extended attributes
Summary
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Return error for inconsistent extended attributes ntfs_read_ea is called when we want to read extended attributes. There are some sanity checks for the validity of the EAs. However, it fails to return a proper error code for the inconsistent attributes, which might lead to unpredicted memory accesses after return. [ 138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0 [ 138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199 [ 138.931132] [ 138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4 [ 138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 138.947327] Call Trace: [ 138.949557] <TASK> [ 138.951539] dump_stack_lvl+0x4d/0x67 [ 138.956834] print_report+0x16f/0x4a6 [ 138.960798] ? ntfs_set_ea+0x453/0xbf0 [ 138.964437] ? kasan_complete_mode_report_info+0x7d/0x200 [ 138.969793] ? ntfs_set_ea+0x453/0xbf0 [ 138.973523] kasan_report+0xb8/0x140 [ 138.976740] ? ntfs_set_ea+0x453/0xbf0 [ 138.980578] __asan_store4+0x76/0xa0 [ 138.984669] ntfs_set_ea+0x453/0xbf0 [ 138.988115] ? __pfx_ntfs_set_ea+0x10/0x10 [ 138.993390] ? kernel_text_address+0xd3/0xe0 [ 138.998270] ? __kernel_text_address+0x16/0x50 [ 139.002121] ? unwind_get_return_address+0x3e/0x60 [ 139.005659] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 139.010177] ? arch_stack_walk+0xa2/0x100 [ 139.013657] ? filter_irq_stacks+0x27/0x80 [ 139.017018] ntfs_setxattr+0x405/0x440 [ 139.022151] ? __pfx_ntfs_setxattr+0x10/0x10 [ 139.026569] ? kvmalloc_node+0x2d/0x120 [ 139.030329] ? kasan_save_stack+0x41/0x60 [ 139.033883] ? kasan_save_stack+0x2a/0x60 [ 139.037338] ? kasan_set_track+0x29/0x40 [ 139.040163] ? kasan_save_alloc_info+0x1f/0x30 [ 139.043588] ? __kasan_kmalloc+0x8b/0xa0 [ 139.047255] ? __kmalloc_node+0x68/0x150 [ 139.051264] ? kvmalloc_node+0x2d/0x120 [ 139.055301] ? vmemdup_user+0x2b/0xa0 [ 139.058584] __vfs_setxattr+0x121/0x170 [ 139.062617] ? __pfx___vfs_setxattr+0x10/0x10 [ 139.066282] __vfs_setxattr_noperm+0x97/0x300 [ 139.070061] __vfs_setxattr_locked+0x145/0x170 [ 139.073580] vfs_setxattr+0x137/0x2a0 [ 139.076641] ? __pfx_vfs_setxattr+0x10/0x10 [ 139.080223] ? __kasan_check_write+0x18/0x20 [ 139.084234] do_setxattr+0xce/0x150 [ 139.087768] setxattr+0x126/0x140 [ 139.091250] ? __pfx_setxattr+0x10/0x10 [ 139.094948] ? __virt_addr_valid+0xcb/0x140 [ 139.097838] ? __call_rcu_common.constprop.0+0x1c7/0x330 [ 139.102688] ? debug_smp_processor_id+0x1b/0x30 [ 139.105985] ? kasan_quarantine_put+0x5b/0x190 [ 139.109980] ? putname+0x84/0xa0 [ 139.113886] ? __kasan_slab_free+0x11e/0x1b0 [ 139.117961] ? putname+0x84/0xa0 [ 139.121316] ? preempt_count_sub+0x1c/0xd0 [ 139.124427] ? __mnt_want_write+0xae/0x100 [ 139.127836] ? mnt_want_write+0x8f/0x150 [ 139.130954] path_setxattr+0x164/0x180 [ 139.133998] ? __pfx_path_setxattr+0x10/0x10 [ 139.137853] ? __pfx_ksys_pwrite64+0x10/0x10 [ 139.141299] ? debug_smp_processor_id+0x1b/0x30 [ 139.145714] ? fpregs_assert_state_consistent+0x6b/0x80 [ 139.150796] __x64_sys_setxattr+0x71/0x90 [ 139.155407] do_syscall_64+0x3f/0x90 [ 139.159035] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 139.163843] RIP: 0033:0x7f108cae4469 [ 139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 [ 139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc [ 139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469 [ 139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6 [ 139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618 [ 139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0 [ 139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15 ---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1474098b590a426d90f27bb992f17c326e0b60c1 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c9db0ff04649aa0b45f497183c957fe260f229f6 (git)
Create a notification for this product.
    Linux Linux Unaffected: 6.4.12 , ≤ 6.4.* (semver)
Unaffected: 6.5 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1474098b590a426d90f27bb992f17c326e0b60c1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c9db0ff04649aa0b45f497183c957fe260f229f6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Return error for inconsistent extended attributes\n\nntfs_read_ea is called when we want to read extended attributes. There\nare some sanity checks for the validity of the EAs. However, it fails to\nreturn a proper error code for the inconsistent attributes, which might\nlead to unpredicted memory accesses after return.\n\n[  138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0\n[  138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199\n[  138.931132]\n[  138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4\n[  138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[  138.947327] Call Trace:\n[  138.949557]  \u003cTASK\u003e\n[  138.951539]  dump_stack_lvl+0x4d/0x67\n[  138.956834]  print_report+0x16f/0x4a6\n[  138.960798]  ? ntfs_set_ea+0x453/0xbf0\n[  138.964437]  ? kasan_complete_mode_report_info+0x7d/0x200\n[  138.969793]  ? ntfs_set_ea+0x453/0xbf0\n[  138.973523]  kasan_report+0xb8/0x140\n[  138.976740]  ? ntfs_set_ea+0x453/0xbf0\n[  138.980578]  __asan_store4+0x76/0xa0\n[  138.984669]  ntfs_set_ea+0x453/0xbf0\n[  138.988115]  ? __pfx_ntfs_set_ea+0x10/0x10\n[  138.993390]  ? kernel_text_address+0xd3/0xe0\n[  138.998270]  ? __kernel_text_address+0x16/0x50\n[  139.002121]  ? unwind_get_return_address+0x3e/0x60\n[  139.005659]  ? __pfx_stack_trace_consume_entry+0x10/0x10\n[  139.010177]  ? arch_stack_walk+0xa2/0x100\n[  139.013657]  ? filter_irq_stacks+0x27/0x80\n[  139.017018]  ntfs_setxattr+0x405/0x440\n[  139.022151]  ? __pfx_ntfs_setxattr+0x10/0x10\n[  139.026569]  ? kvmalloc_node+0x2d/0x120\n[  139.030329]  ? kasan_save_stack+0x41/0x60\n[  139.033883]  ? kasan_save_stack+0x2a/0x60\n[  139.037338]  ? kasan_set_track+0x29/0x40\n[  139.040163]  ? kasan_save_alloc_info+0x1f/0x30\n[  139.043588]  ? __kasan_kmalloc+0x8b/0xa0\n[  139.047255]  ? __kmalloc_node+0x68/0x150\n[  139.051264]  ? kvmalloc_node+0x2d/0x120\n[  139.055301]  ? vmemdup_user+0x2b/0xa0\n[  139.058584]  __vfs_setxattr+0x121/0x170\n[  139.062617]  ? __pfx___vfs_setxattr+0x10/0x10\n[  139.066282]  __vfs_setxattr_noperm+0x97/0x300\n[  139.070061]  __vfs_setxattr_locked+0x145/0x170\n[  139.073580]  vfs_setxattr+0x137/0x2a0\n[  139.076641]  ? __pfx_vfs_setxattr+0x10/0x10\n[  139.080223]  ? __kasan_check_write+0x18/0x20\n[  139.084234]  do_setxattr+0xce/0x150\n[  139.087768]  setxattr+0x126/0x140\n[  139.091250]  ? __pfx_setxattr+0x10/0x10\n[  139.094948]  ? __virt_addr_valid+0xcb/0x140\n[  139.097838]  ? __call_rcu_common.constprop.0+0x1c7/0x330\n[  139.102688]  ? debug_smp_processor_id+0x1b/0x30\n[  139.105985]  ? kasan_quarantine_put+0x5b/0x190\n[  139.109980]  ? putname+0x84/0xa0\n[  139.113886]  ? __kasan_slab_free+0x11e/0x1b0\n[  139.117961]  ? putname+0x84/0xa0\n[  139.121316]  ? preempt_count_sub+0x1c/0xd0\n[  139.124427]  ? __mnt_want_write+0xae/0x100\n[  139.127836]  ? mnt_want_write+0x8f/0x150\n[  139.130954]  path_setxattr+0x164/0x180\n[  139.133998]  ? __pfx_path_setxattr+0x10/0x10\n[  139.137853]  ? __pfx_ksys_pwrite64+0x10/0x10\n[  139.141299]  ? debug_smp_processor_id+0x1b/0x30\n[  139.145714]  ? fpregs_assert_state_consistent+0x6b/0x80\n[  139.150796]  __x64_sys_setxattr+0x71/0x90\n[  139.155407]  do_syscall_64+0x3f/0x90\n[  139.159035]  entry_SYSCALL_64_after_hwframe+0x72/0xdc\n[  139.163843] RIP: 0033:0x7f108cae4469\n[  139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088\n[  139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc\n[  139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469\n[  139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6\n[  139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618\n[  139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0\n[  139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T13:06:43.977Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1474098b590a426d90f27bb992f17c326e0b60c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9db0ff04649aa0b45f497183c957fe260f229f6"
        }
      ],
      "title": "fs/ntfs3: Return error for inconsistent extended attributes",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54125",
    "datePublished": "2025-12-24T13:06:43.977Z",
    "dateReserved": "2025-12-24T13:02:52.521Z",
    "dateUpdated": "2025-12-24T13:06:43.977Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-54125\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T13:16:14.473\",\"lastModified\":\"2025-12-24T13:16:14.473\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs/ntfs3: Return error for inconsistent extended attributes\\n\\nntfs_read_ea is called when we want to read extended attributes. There\\nare some sanity checks for the validity of the EAs. However, it fails to\\nreturn a proper error code for the inconsistent attributes, which might\\nlead to unpredicted memory accesses after return.\\n\\n[  138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0\\n[  138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199\\n[  138.931132]\\n[  138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4\\n[  138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\\n[  138.947327] Call Trace:\\n[  138.949557]  \u003cTASK\u003e\\n[  138.951539]  dump_stack_lvl+0x4d/0x67\\n[  138.956834]  print_report+0x16f/0x4a6\\n[  138.960798]  ? ntfs_set_ea+0x453/0xbf0\\n[  138.964437]  ? kasan_complete_mode_report_info+0x7d/0x200\\n[  138.969793]  ? ntfs_set_ea+0x453/0xbf0\\n[  138.973523]  kasan_report+0xb8/0x140\\n[  138.976740]  ? ntfs_set_ea+0x453/0xbf0\\n[  138.980578]  __asan_store4+0x76/0xa0\\n[  138.984669]  ntfs_set_ea+0x453/0xbf0\\n[  138.988115]  ? __pfx_ntfs_set_ea+0x10/0x10\\n[  138.993390]  ? kernel_text_address+0xd3/0xe0\\n[  138.998270]  ? __kernel_text_address+0x16/0x50\\n[  139.002121]  ? unwind_get_return_address+0x3e/0x60\\n[  139.005659]  ? __pfx_stack_trace_consume_entry+0x10/0x10\\n[  139.010177]  ? arch_stack_walk+0xa2/0x100\\n[  139.013657]  ? filter_irq_stacks+0x27/0x80\\n[  139.017018]  ntfs_setxattr+0x405/0x440\\n[  139.022151]  ? __pfx_ntfs_setxattr+0x10/0x10\\n[  139.026569]  ? kvmalloc_node+0x2d/0x120\\n[  139.030329]  ? kasan_save_stack+0x41/0x60\\n[  139.033883]  ? kasan_save_stack+0x2a/0x60\\n[  139.037338]  ? kasan_set_track+0x29/0x40\\n[  139.040163]  ? kasan_save_alloc_info+0x1f/0x30\\n[  139.043588]  ? __kasan_kmalloc+0x8b/0xa0\\n[  139.047255]  ? __kmalloc_node+0x68/0x150\\n[  139.051264]  ? kvmalloc_node+0x2d/0x120\\n[  139.055301]  ? vmemdup_user+0x2b/0xa0\\n[  139.058584]  __vfs_setxattr+0x121/0x170\\n[  139.062617]  ? __pfx___vfs_setxattr+0x10/0x10\\n[  139.066282]  __vfs_setxattr_noperm+0x97/0x300\\n[  139.070061]  __vfs_setxattr_locked+0x145/0x170\\n[  139.073580]  vfs_setxattr+0x137/0x2a0\\n[  139.076641]  ? __pfx_vfs_setxattr+0x10/0x10\\n[  139.080223]  ? __kasan_check_write+0x18/0x20\\n[  139.084234]  do_setxattr+0xce/0x150\\n[  139.087768]  setxattr+0x126/0x140\\n[  139.091250]  ? __pfx_setxattr+0x10/0x10\\n[  139.094948]  ? __virt_addr_valid+0xcb/0x140\\n[  139.097838]  ? __call_rcu_common.constprop.0+0x1c7/0x330\\n[  139.102688]  ? debug_smp_processor_id+0x1b/0x30\\n[  139.105985]  ? kasan_quarantine_put+0x5b/0x190\\n[  139.109980]  ? putname+0x84/0xa0\\n[  139.113886]  ? __kasan_slab_free+0x11e/0x1b0\\n[  139.117961]  ? putname+0x84/0xa0\\n[  139.121316]  ? preempt_count_sub+0x1c/0xd0\\n[  139.124427]  ? __mnt_want_write+0xae/0x100\\n[  139.127836]  ? mnt_want_write+0x8f/0x150\\n[  139.130954]  path_setxattr+0x164/0x180\\n[  139.133998]  ? __pfx_path_setxattr+0x10/0x10\\n[  139.137853]  ? __pfx_ksys_pwrite64+0x10/0x10\\n[  139.141299]  ? debug_smp_processor_id+0x1b/0x30\\n[  139.145714]  ? fpregs_assert_state_consistent+0x6b/0x80\\n[  139.150796]  __x64_sys_setxattr+0x71/0x90\\n[  139.155407]  do_syscall_64+0x3f/0x90\\n[  139.159035]  entry_SYSCALL_64_after_hwframe+0x72/0xdc\\n[  139.163843] RIP: 0033:0x7f108cae4469\\n[  139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088\\n[  139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc\\n[  139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469\\n[  139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6\\n[  139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618\\n[  139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0\\n[  139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1474098b590a426d90f27bb992f17c326e0b60c1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c9db0ff04649aa0b45f497183c957fe260f229f6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.