lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [day] [month] [year] [list] 
Message-ID: <2025083005-CVE-2025-38677-e495@gregkh>
Date: Sat, 30 Aug 2025 11:19:06 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38677: f2fs: fix to avoid out-of-boundary access in dnode page

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid out-of-boundary access in dnode page

As Jiaming Zhang reported:

 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x17e/0x800 mm/kasan/report.c:480
 kasan_report+0x147/0x180 mm/kasan/report.c:593
 data_blkaddr fs/f2fs/f2fs.h:3053 [inline]
 f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline]
 f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855
 f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195
 prepare_write_begin fs/f2fs/data.c:3395 [inline]
 f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594
 generic_perform_write+0x2c7/0x910 mm/filemap.c:4112
 f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline]
 f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x546/0xa90 fs/read_write.c:686
 ksys_write+0x149/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The root cause is in the corrupted image, there is a dnode has the same
node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to
access block address in dnode at offset 934, however it parses the dnode
as inode node, so that get_dnode_addr() returns 360, then it tries to
access page address from 360 + 934 * 4 = 4096 w/ 4 bytes.

To fix this issue, let's add sanity check for node id of all direct nodes
during f2fs_get_dnode_of_data().

The Linux kernel CVE team has assigned CVE-2025-38677 to this issue.


Affected and fixed versions
===========================

	Fixed in 5.4.297 with commit ee4d13f5407cbdf1216cc258f45492075713889a
	Fixed in 5.10.241 with commit a650654365c57407413e9b1f6ff4d539bf2e99ca
	Fixed in 5.15.190 with commit 6b7784ea07e6aa044f74b39d6b5af5e28746fc81
	Fixed in 6.1.149 with commit 901f62efd6e855f93d8b1175540f29f4dc45ba55
	Fixed in 6.6.103 with commit 92ef491b506a0f4dd971a3a76f86f2d8f5370180
	Fixed in 6.12.44 with commit 888aa660144bcb6ec07839da756ee46bfcf7fc53
	Fixed in 6.16.4 with commit f1d5093d9fe9f3c74c123741c88666cc853b79c5
	Fixed in 6.17-rc1 with commit 77de19b6867f2740cdcb6c9c7e50d522b47847a4

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38677
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/f2fs/node.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/ee4d13f5407cbdf1216cc258f45492075713889a
	https://git.kernel.org/stable/c/a650654365c57407413e9b1f6ff4d539bf2e99ca
	https://git.kernel.org/stable/c/6b7784ea07e6aa044f74b39d6b5af5e28746fc81
	https://git.kernel.org/stable/c/901f62efd6e855f93d8b1175540f29f4dc45ba55
	https://git.kernel.org/stable/c/92ef491b506a0f4dd971a3a76f86f2d8f5370180
	https://git.kernel.org/stable/c/888aa660144bcb6ec07839da756ee46bfcf7fc53
	https://git.kernel.org/stable/c/f1d5093d9fe9f3c74c123741c88666cc853b79c5
	https://git.kernel.org/stable/c/77de19b6867f2740cdcb6c9c7e50d522b47847a4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ