CVE-2025-71265

In the Linux kernel, the following vulnerability has been resolved:

fs: ntfs3: fix infinite loop in attr load runs range on inconsistent metadata

We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.

A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and run unpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When run unpack() immediately returns success upon seeing this condition, it leaves the runs tree uninitialized with run->runs as a NULL. The calling function attr load runs range() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next run lookup entry() call to succeed. Because runs tree remains uninitialized, run lookup entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop.

This patch adds a retry counter to detect when run lookup entry() fails consecutively after attr load runs vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.