{"id":"CVE-2023-54125","summary":"fs/ntfs3: Return error for inconsistent extended attributes","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Return error for inconsistent extended attributes\n\nntfs_read_ea is called when we want to read extended attributes. There\nare some sanity checks for the validity of the EAs. However, it fails to\nreturn a proper error code for the inconsistent attributes, which might\nlead to unpredicted memory accesses after return.\n\n[  138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0\n[  138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199\n[  138.931132]\n[  138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4\n[  138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[  138.947327] Call Trace:\n[  138.949557]  \u003cTASK\u003e\n[  138.951539]  dump_stack_lvl+0x4d/0x67\n[  138.956834]  print_report+0x16f/0x4a6\n[  138.960798]  ? ntfs_set_ea+0x453/0xbf0\n[  138.964437]  ? kasan_complete_mode_report_info+0x7d/0x200\n[  138.969793]  ? ntfs_set_ea+0x453/0xbf0\n[  138.973523]  kasan_report+0xb8/0x140\n[  138.976740]  ? ntfs_set_ea+0x453/0xbf0\n[  138.980578]  __asan_store4+0x76/0xa0\n[  138.984669]  ntfs_set_ea+0x453/0xbf0\n[  138.988115]  ? __pfx_ntfs_set_ea+0x10/0x10\n[  138.993390]  ? kernel_text_address+0xd3/0xe0\n[  138.998270]  ? __kernel_text_address+0x16/0x50\n[  139.002121]  ? unwind_get_return_address+0x3e/0x60\n[  139.005659]  ? __pfx_stack_trace_consume_entry+0x10/0x10\n[  139.010177]  ? arch_stack_walk+0xa2/0x100\n[  139.013657]  ? filter_irq_stacks+0x27/0x80\n[  139.017018]  ntfs_setxattr+0x405/0x440\n[  139.022151]  ? __pfx_ntfs_setxattr+0x10/0x10\n[  139.026569]  ? kvmalloc_node+0x2d/0x120\n[  139.030329]  ? kasan_save_stack+0x41/0x60\n[  139.033883]  ? kasan_save_stack+0x2a/0x60\n[  139.037338]  ? kasan_set_track+0x29/0x40\n[  139.040163]  ? kasan_save_alloc_info+0x1f/0x30\n[  139.043588]  ? __kasan_kmalloc+0x8b/0xa0\n[  139.047255]  ? __kmalloc_node+0x68/0x150\n[  139.051264]  ? kvmalloc_node+0x2d/0x120\n[  139.055301]  ? vmemdup_user+0x2b/0xa0\n[  139.058584]  __vfs_setxattr+0x121/0x170\n[  139.062617]  ? __pfx___vfs_setxattr+0x10/0x10\n[  139.066282]  __vfs_setxattr_noperm+0x97/0x300\n[  139.070061]  __vfs_setxattr_locked+0x145/0x170\n[  139.073580]  vfs_setxattr+0x137/0x2a0\n[  139.076641]  ? __pfx_vfs_setxattr+0x10/0x10\n[  139.080223]  ? __kasan_check_write+0x18/0x20\n[  139.084234]  do_setxattr+0xce/0x150\n[  139.087768]  setxattr+0x126/0x140\n[  139.091250]  ? __pfx_setxattr+0x10/0x10\n[  139.094948]  ? __virt_addr_valid+0xcb/0x140\n[  139.097838]  ? __call_rcu_common.constprop.0+0x1c7/0x330\n[  139.102688]  ? debug_smp_processor_id+0x1b/0x30\n[  139.105985]  ? kasan_quarantine_put+0x5b/0x190\n[  139.109980]  ? putname+0x84/0xa0\n[  139.113886]  ? __kasan_slab_free+0x11e/0x1b0\n[  139.117961]  ? putname+0x84/0xa0\n[  139.121316]  ? preempt_count_sub+0x1c/0xd0\n[  139.124427]  ? __mnt_want_write+0xae/0x100\n[  139.127836]  ? mnt_want_write+0x8f/0x150\n[  139.130954]  path_setxattr+0x164/0x180\n[  139.133998]  ? __pfx_path_setxattr+0x10/0x10\n[  139.137853]  ? __pfx_ksys_pwrite64+0x10/0x10\n[  139.141299]  ? debug_smp_processor_id+0x1b/0x30\n[  139.145714]  ? fpregs_assert_state_consistent+0x6b/0x80\n[  139.150796]  __x64_sys_setxattr+0x71/0x90\n[  139.155407]  do_syscall_64+0x3f/0x90\n[  139.159035]  entry_SYSCALL_64_after_hwframe+0x72/0xdc\n[  139.163843] RIP: 0033:0x7f108cae4469\n[  139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088\n[  139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc\n[  139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469\n[  139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6\n[  139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618\n[  139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0\n[  139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15\n---truncated---","modified":"2026-03-31T17:29:47.083691Z","published":"2025-12-24T13:06:43.977Z","related":["SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54125.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1474098b590a426d90f27bb992f17c326e0b60c1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c9db0ff04649aa0b45f497183c957fe260f229f6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54125.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54125"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0e8235d28f3a0e9eda9f02ff67ee566d5f42b66b"},{"fixed":"1474098b590a426d90f27bb992f17c326e0b60c1"},{"fixed":"c9db0ff04649aa0b45f497183c957fe260f229f6"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"333feb7ba84f69f9b423422417aaac54fd9e7c84"},{"last_affected":"000a9a72efa4a9df289bab9c9e8ba1639c72e0d6"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54125.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.4.12"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54125.json"}}],"schema_version":"1.7.5"}