| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025041820-CVE-2025-39735-41c8@gregkh>
Date: Fri, 18 Apr 2025 09:02:27 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39735: jfs: fix slab-out-of-bounds read in ea_get()
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
jfs: fix slab-out-of-bounds read in ea_get()
During the "size_check" label in ea_get(), the code checks if the extended
attribute list (xattr) size matches ea_size. If not, it logs
"ea_get: invalid extended attribute" and calls print_hex_dump().
Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds
INT_MAX (2,147,483,647). Then ea_size is clamped:
int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));
Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper
limit is treated as an int, causing an overflow above 2^31 - 1. This leads
"size" to wrap around and become negative (-184549328).
The "size" is then passed to print_hex_dump() (called "len" in
print_hex_dump()), it is passed as type size_t (an unsigned
type), this is then stored inside a variable called
"int remaining", which is then assigned to "int linelen" which
is then passed to hex_dump_to_buffer(). In print_hex_dump()
the for loop, iterates through 0 to len-1, where len is
18446744073525002176, calling hex_dump_to_buffer()
on each iteration:
for (i = 0; i < len; i += rowsize) {
linelen = min(remaining, rowsize);
remaining -= rowsize;
hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,
linebuf, sizeof(linebuf), ascii);
...
}
The expected stopping condition (i < len) is effectively broken
since len is corrupted and very large. This eventually leads to
the "ptr+i" being passed to hex_dump_to_buffer() to get closer
to the end of the actual bounds of "ptr", eventually an out of
bounds access is done in hex_dump_to_buffer() in the following
for loop:
for (j = 0; j < len; j++) {
if (linebuflen < lx + 2)
goto overflow2;
ch = ptr[j];
...
}
To fix this we should validate "EALIST_SIZE(ea_buf->xattr)"
before it is utilised.
The Linux kernel CVE team has assigned CVE-2025-39735 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.4.287 with commit 6e39b681d1eb16f408493bf5023788b57f68998c and fixed in 5.4.292 with commit 3d6fd5b9c6acbc005e53d0211c7381f566babec1
Issue introduced in 5.10.231 with commit bbf3f1fd8a0ac7df1db36a9b9e923041a14369f2 and fixed in 5.10.236 with commit 50afcee7011155933d8d5e8832f52eeee018cfd3
Issue introduced in 5.15.174 with commit 27a93c45e16ac25a0e2b5e5668e2d1beca56a478 and fixed in 5.15.180 with commit 78c9cbde8880ec02d864c166bcb4fe989ce1d95f
Issue introduced in 6.1.120 with commit 9c356fc32a4480a2c0e537a05f2a8617633ddad0 and fixed in 6.1.134 with commit 46e2c031aa59ea65128991cbca474bd5c0c2ecdb
Issue introduced in 6.6.64 with commit 9353cdf28d4c5c0ff19c5df7fbf81ea774de43a4 and fixed in 6.6.87 with commit a8c31808925b11393a6601f534bb63bac5366bab
Issue introduced in 6.12.2 with commit 8c505ebeed8045b488b2e60b516c752b851f8437 and fixed in 6.12.23 with commit 0beddc2a3f9b9cf7d8887973041e36c2d0fa3652
Issue introduced in 6.13 with commit d9f9d96136cba8fedd647d2c024342ce090133c2 and fixed in 6.13.11 with commit 16d3d36436492aa248b2d8045e75585ebcc2f34d
Issue introduced in 6.13 with commit d9f9d96136cba8fedd647d2c024342ce090133c2 and fixed in 6.14.2 with commit 5263822558a8a7c0d0248d5679c2dcf4d5cda61f
Issue introduced in 6.13 with commit d9f9d96136cba8fedd647d2c024342ce090133c2 and fixed in 6.15-rc1 with commit fdf480da5837c23b146c4743c18de97202fcab37
Issue introduced in 4.19.325 with commit 4ea25fa8747fb8b1e5a11d87b852023ecf7ae420
Issue introduced in 6.11.11 with commit 676a787048aafd4d1b38a522b05a9cc77e1b0a33
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-39735
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
fs/jfs/xattr.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/3d6fd5b9c6acbc005e53d0211c7381f566babec1
https://git.kernel.org/stable/c/50afcee7011155933d8d5e8832f52eeee018cfd3
https://git.kernel.org/stable/c/78c9cbde8880ec02d864c166bcb4fe989ce1d95f
https://git.kernel.org/stable/c/46e2c031aa59ea65128991cbca474bd5c0c2ecdb
https://git.kernel.org/stable/c/a8c31808925b11393a6601f534bb63bac5366bab
https://git.kernel.org/stable/c/0beddc2a3f9b9cf7d8887973041e36c2d0fa3652
https://git.kernel.org/stable/c/16d3d36436492aa248b2d8045e75585ebcc2f34d
https://git.kernel.org/stable/c/5263822558a8a7c0d0248d5679c2dcf4d5cda61f
https://git.kernel.org/stable/c/fdf480da5837c23b146c4743c18de97202fcab37
Powered by blists - more mailing lists