fs/ntfs3/index.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
We found an infinite loop bug in the ntfs3 file system that can lead to a
Denial-of-Service (DoS) condition.
A malformed dentry in the ntfs3 filesystem can cause the kernel to hang
during the lookup operations. By setting the HAS_SUB_NODE flag in an
INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the
VCN pointer, an attacker can cause the indx_find() function to repeatedly
read the same block, allocating 4 KB of memory each time. The kernel lacks
VCN loop detection and depth limits, causing memory exhaustion and an OOM
crash.
This patch adds a return value check for fnd_push() to prevent a memory
exhaustion vulnerability caused by infinite loops. When the index exceeds the
size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find()
function checks this return value and stops processing, preventing further
memory allocation.
Co-developed-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Co-developed-by: Jihoon Kwon <kjh010315@gmail.com>
Signed-off-by: Jihoon Kwon <kjh010315@gmail.com>
Signed-off-by: Jaehun Gou <p22gone@gmail.com>
---
fs/ntfs3/index.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
index 6d1bf890929d..050b3709e020 100644
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -1190,7 +1190,12 @@ int indx_find(struct ntfs_index *indx, struct ntfs_inode *ni,
return -EINVAL;
}
- fnd_push(fnd, node, e);
+ err = fnd_push(fnd, node, e);
+
+ if (err) {
+ put_indx_node(node);
+ return err;
+ }
}
*entry = e;
--
2.43.0On 12/2/25 11:59, Jaehun Gou wrote:
> We found an infinite loop bug in the ntfs3 file system that can lead to a
> Denial-of-Service (DoS) condition.
>
> A malformed dentry in the ntfs3 filesystem can cause the kernel to hang
> during the lookup operations. By setting the HAS_SUB_NODE flag in an
> INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the
> VCN pointer, an attacker can cause the indx_find() function to repeatedly
> read the same block, allocating 4 KB of memory each time. The kernel lacks
> VCN loop detection and depth limits, causing memory exhaustion and an OOM
> crash.
>
> This patch adds a return value check for fnd_push() to prevent a memory
> exhaustion vulnerability caused by infinite loops. When the index exceeds the
> size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find()
> function checks this return value and stops processing, preventing further
> memory allocation.
>
> Co-developed-by: Seunghun Han <kkamagui@gmail.com>
> Signed-off-by: Seunghun Han <kkamagui@gmail.com>
> Co-developed-by: Jihoon Kwon <kjh010315@gmail.com>
> Signed-off-by: Jihoon Kwon <kjh010315@gmail.com>
> Signed-off-by: Jaehun Gou <p22gone@gmail.com>
> ---
> fs/ntfs3/index.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
> index 6d1bf890929d..050b3709e020 100644
> --- a/fs/ntfs3/index.c
> +++ b/fs/ntfs3/index.c
> @@ -1190,7 +1190,12 @@ int indx_find(struct ntfs_index *indx, struct ntfs_inode *ni,
> return -EINVAL;
> }
>
> - fnd_push(fnd, node, e);
> + err = fnd_push(fnd, node, e);
> +
> + if (err) {
> + put_indx_node(node);
> + return err;
> + }
> }
>
> *entry = e;
Your patch has been applied. Thanks.
Regards,
Konstantin
© 2016 - 2026 Red Hat, Inc.