GHSA-397Q-F49X-2C9J
Vulnerability from github – Published: 2025-10-04 18:31 – Updated: 2025-10-04 18:31In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Validate data run offset
This adds sanity checks for data run offset. We should make sure data run offset is legit before trying to unpack them, otherwise we may encounter use-after-free or some unexpected memory access behaviors.
[ 82.940342] BUG: KASAN: use-after-free in run_unpack+0x2e3/0x570 [ 82.941180] Read of size 1 at addr ffff888008a8487f by task mount/240 [ 82.941670] [ 82.942069] CPU: 0 PID: 240 Comm: mount Not tainted 5.19.0+ #15 [ 82.942482] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 82.943720] Call Trace: [ 82.944204] [ 82.944471] dump_stack_lvl+0x49/0x63 [ 82.944908] print_report.cold+0xf5/0x67b [ 82.945141] ? __wait_on_bit+0x106/0x120 [ 82.945750] ? run_unpack+0x2e3/0x570 [ 82.946626] kasan_report+0xa7/0x120 [ 82.947046] ? run_unpack+0x2e3/0x570 [ 82.947280] __asan_load1+0x51/0x60 [ 82.947483] run_unpack+0x2e3/0x570 [ 82.947709] ? memcpy+0x4e/0x70 [ 82.947927] ? run_pack+0x7a0/0x7a0 [ 82.948158] run_unpack_ex+0xad/0x3f0 [ 82.948399] ? mi_enum_attr+0x14a/0x200 [ 82.948717] ? run_unpack+0x570/0x570 [ 82.949072] ? ni_enum_attr_ex+0x1b2/0x1c0 [ 82.949332] ? ni_fname_type.part.0+0xd0/0xd0 [ 82.949611] ? mi_read+0x262/0x2c0 [ 82.949970] ? ntfs_cmp_names_cpu+0x125/0x180 [ 82.950249] ntfs_iget5+0x632/0x1870 [ 82.950621] ? ntfs_get_block_bmap+0x70/0x70 [ 82.951192] ? evict+0x223/0x280 [ 82.951525] ? iput.part.0+0x286/0x320 [ 82.951969] ntfs_fill_super+0x1321/0x1e20 [ 82.952436] ? put_ntfs+0x1d0/0x1d0 [ 82.952822] ? vsprintf+0x20/0x20 [ 82.953188] ? mutex_unlock+0x81/0xd0 [ 82.953379] ? set_blocksize+0x95/0x150 [ 82.954001] get_tree_bdev+0x232/0x370 [ 82.954438] ? put_ntfs+0x1d0/0x1d0 [ 82.954700] ntfs_fs_get_tree+0x15/0x20 [ 82.955049] vfs_get_tree+0x4c/0x130 [ 82.955292] path_mount+0x645/0xfd0 [ 82.955615] ? putname+0x80/0xa0 [ 82.955955] ? finish_automount+0x2e0/0x2e0 [ 82.956310] ? kmem_cache_free+0x110/0x390 [ 82.956723] ? putname+0x80/0xa0 [ 82.957023] do_mount+0xd6/0xf0 [ 82.957411] ? path_mount+0xfd0/0xfd0 [ 82.957638] ? __kasan_check_write+0x14/0x20 [ 82.957948] __x64_sys_mount+0xca/0x110 [ 82.958310] do_syscall_64+0x3b/0x90 [ 82.958719] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 82.959341] RIP: 0033:0x7fd0d1ce948a [ 82.960193] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 82.961532] RSP: 002b:00007ffe59ff69a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 82.962527] RAX: ffffffffffffffda RBX: 0000564dcc107060 RCX: 00007fd0d1ce948a [ 82.963266] RDX: 0000564dcc107260 RSI: 0000564dcc1072e0 RDI: 0000564dcc10fce0 [ 82.963686] RBP: 0000000000000000 R08: 0000564dcc107280 R09: 0000000000000020 [ 82.964272] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564dcc10fce0 [ 82.964785] R13: 0000564dcc107260 R14: 0000000000000000 R15: 00000000ffffffff
{
"affected": [],
"aliases": [
"CVE-2022-50507"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-04T16:15:47Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate data run offset\n\nThis adds sanity checks for data run offset. We should make sure data\nrun offset is legit before trying to unpack them, otherwise we may\nencounter use-after-free or some unexpected memory access behaviors.\n\n[ 82.940342] BUG: KASAN: use-after-free in run_unpack+0x2e3/0x570\n[ 82.941180] Read of size 1 at addr ffff888008a8487f by task mount/240\n[ 82.941670]\n[ 82.942069] CPU: 0 PID: 240 Comm: mount Not tainted 5.19.0+ #15\n[ 82.942482] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 82.943720] Call Trace:\n[ 82.944204] \u003cTASK\u003e\n[ 82.944471] dump_stack_lvl+0x49/0x63\n[ 82.944908] print_report.cold+0xf5/0x67b\n[ 82.945141] ? __wait_on_bit+0x106/0x120\n[ 82.945750] ? run_unpack+0x2e3/0x570\n[ 82.946626] kasan_report+0xa7/0x120\n[ 82.947046] ? run_unpack+0x2e3/0x570\n[ 82.947280] __asan_load1+0x51/0x60\n[ 82.947483] run_unpack+0x2e3/0x570\n[ 82.947709] ? memcpy+0x4e/0x70\n[ 82.947927] ? run_pack+0x7a0/0x7a0\n[ 82.948158] run_unpack_ex+0xad/0x3f0\n[ 82.948399] ? mi_enum_attr+0x14a/0x200\n[ 82.948717] ? run_unpack+0x570/0x570\n[ 82.949072] ? ni_enum_attr_ex+0x1b2/0x1c0\n[ 82.949332] ? ni_fname_type.part.0+0xd0/0xd0\n[ 82.949611] ? mi_read+0x262/0x2c0\n[ 82.949970] ? ntfs_cmp_names_cpu+0x125/0x180\n[ 82.950249] ntfs_iget5+0x632/0x1870\n[ 82.950621] ? ntfs_get_block_bmap+0x70/0x70\n[ 82.951192] ? evict+0x223/0x280\n[ 82.951525] ? iput.part.0+0x286/0x320\n[ 82.951969] ntfs_fill_super+0x1321/0x1e20\n[ 82.952436] ? put_ntfs+0x1d0/0x1d0\n[ 82.952822] ? vsprintf+0x20/0x20\n[ 82.953188] ? mutex_unlock+0x81/0xd0\n[ 82.953379] ? set_blocksize+0x95/0x150\n[ 82.954001] get_tree_bdev+0x232/0x370\n[ 82.954438] ? put_ntfs+0x1d0/0x1d0\n[ 82.954700] ntfs_fs_get_tree+0x15/0x20\n[ 82.955049] vfs_get_tree+0x4c/0x130\n[ 82.955292] path_mount+0x645/0xfd0\n[ 82.955615] ? putname+0x80/0xa0\n[ 82.955955] ? finish_automount+0x2e0/0x2e0\n[ 82.956310] ? kmem_cache_free+0x110/0x390\n[ 82.956723] ? putname+0x80/0xa0\n[ 82.957023] do_mount+0xd6/0xf0\n[ 82.957411] ? path_mount+0xfd0/0xfd0\n[ 82.957638] ? __kasan_check_write+0x14/0x20\n[ 82.957948] __x64_sys_mount+0xca/0x110\n[ 82.958310] do_syscall_64+0x3b/0x90\n[ 82.958719] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 82.959341] RIP: 0033:0x7fd0d1ce948a\n[ 82.960193] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008\n[ 82.961532] RSP: 002b:00007ffe59ff69a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5\n[ 82.962527] RAX: ffffffffffffffda RBX: 0000564dcc107060 RCX: 00007fd0d1ce948a\n[ 82.963266] RDX: 0000564dcc107260 RSI: 0000564dcc1072e0 RDI: 0000564dcc10fce0\n[ 82.963686] RBP: 0000000000000000 R08: 0000564dcc107280 R09: 0000000000000020\n[ 82.964272] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564dcc10fce0\n[ 82.964785] R13: 0000564dcc107260 R14: 0000000000000000 R15: 00000000ffffffff",
"id": "GHSA-397q-f49x-2c9j",
"modified": "2025-10-04T18:31:14Z",
"published": "2025-10-04T18:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50507"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6db620863f8528ed9a9aa5ad323b26554a17881d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9173b89c16a603d73c434b695fe2a7a13491300f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/de5e0955248ff90a2ae91e7f5c108392b52152d0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e0455361d3068066a91fe18282b751925d7b5ee7"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.