| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025070425-CVE-2025-38220-a235@gregkh> Date: Fri, 4 Jul 2025 15:37:49 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38220: ext4: only dirty folios when data journaling regular files From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: ext4: only dirty folios when data journaling regular files fstest generic/388 occasionally reproduces a crash that looks as follows: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... Call Trace: <TASK> ext4_block_zero_page_range+0x30c/0x380 [ext4] ext4_truncate+0x436/0x440 [ext4] ext4_process_orphan+0x5d/0x110 [ext4] ext4_orphan_cleanup+0x124/0x4f0 [ext4] ext4_fill_super+0x262d/0x3110 [ext4] get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x26/0xd0 vfs_cmd_create+0x59/0xe0 __do_sys_fsconfig+0x4ed/0x6b0 do_syscall_64+0x82/0x170 ... This occurs when processing a symlink inode from the orphan list. The partial block zeroing code in the truncate path calls ext4_dirty_journalled_data() -> folio_mark_dirty(). The latter calls mapping->a_ops->dirty_folio(), but symlink inodes are not assigned an a_ops vector in ext4, hence the crash. To avoid this problem, update the ext4_dirty_journalled_data() helper to only mark the folio dirty on regular files (for which a_ops is assigned). This also matches the journaling logic in the ext4_symlink() creation path, where ext4_handle_dirty_metadata() is called directly. The Linux kernel CVE team has assigned CVE-2025-38220 to this issue. Affected and fixed versions =========================== Issue introduced in 6.4 with commit d84c9ebdac1e39bc7b036c0c829ee8c1956edabc and fixed in 6.6.95 with commit cf6a4c4ac7b6e3214f25df594c9689a62f1bb456 Issue introduced in 6.4 with commit d84c9ebdac1e39bc7b036c0c829ee8c1956edabc and fixed in 6.12.35 with commit be5f3061a6f904e3674257879e71881ceee5b673 Issue introduced in 6.4 with commit d84c9ebdac1e39bc7b036c0c829ee8c1956edabc and fixed in 6.15.4 with commit d7af6eee8cd60f55aa8c5fe2b91f11ec0c9a0f27 Issue introduced in 6.4 with commit d84c9ebdac1e39bc7b036c0c829ee8c1956edabc and fixed in 6.16-rc1 with commit e26268ff1dcae5662c1b96c35f18cfa6ab73d9de Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38220 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/ext4/inode.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/cf6a4c4ac7b6e3214f25df594c9689a62f1bb456 https://git.kernel.org/stable/c/be5f3061a6f904e3674257879e71881ceee5b673 https://git.kernel.org/stable/c/d7af6eee8cd60f55aa8c5fe2b91f11ec0c9a0f27 https://git.kernel.org/stable/c/e26268ff1dcae5662c1b96c35f18cfa6ab73d9de
Powered by blists - more mailing lists