CVE-2025-71067

Description

In the Linux kernel, the following vulnerability has been resolved:ntfs: set dummy blocksize to read boot_block when mountingWhen mounting, sb->s_blocksize is used to read the boot_block withoutbeing defined or validated. Set a dummy blocksize before attempting toread the boot_block.The issue can be triggered with the following syz reproducer: mkdirat(0xffffffffffffff9c, &(0x7f0000000080)=./file1x00, 0x0) r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0) ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000) mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)=./cgroupx00, &(0x7f0000000000)=ntfs3x00, 0x2208004, 0x0) syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0)Here, the ioctl sets the bdev block size to 16384. During mount,get_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)),but since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leavessb->s_blocksize at zero.Later, ntfs_init_from_boot() attempts to read the boot_block whilesb->s_blocksize is still zero, which triggers the bug.[almaz.alexandrovich@paragon-software.com: changed comment style, addedreturn value handling]

Risk Information

Base Score

7.1

MODERATE

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS Score

Exploitation Probability

0.025

Associated Vulnerability

No records found

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234