lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025091615-CVE-2025-39817-90b7@gregkh>
Date: Tue, 16 Sep 2025 15:00:23 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39817: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

Observed on kernel 6.6 (present on master as well):

  BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0
  Call trace:
   kasan_check_range+0xe8/0x190
   __asan_loadN+0x1c/0x28
   memcmp+0x98/0xd0
   efivarfs_d_compare+0x68/0xd8
   __d_lookup_rcu_op_compare+0x178/0x218
   __d_lookup_rcu+0x1f8/0x228
   d_alloc_parallel+0x150/0x648
   lookup_open.isra.0+0x5f0/0x8d0
   open_last_lookups+0x264/0x828
   path_openat+0x130/0x3f8
   do_filp_open+0x114/0x248
   do_sys_openat2+0x340/0x3c0
   __arm64_sys_openat+0x120/0x1a0

If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become
negative, leadings to oob. The issue can be triggered by parallel
lookups using invalid filename:

  T1			T2
  lookup_open
   ->lookup
    simple_lookup
     d_add
     // invalid dentry is added to hash list

			lookup_open
			 d_alloc_parallel
			  __d_lookup_rcu
			   __d_lookup_rcu_op_compare
			    hlist_bl_for_each_entry_rcu
			    // invalid dentry can be retrieved
			     ->d_compare
			      efivarfs_d_compare
			      // oob

Fix it by checking 'guid' before cmp.

The Linux kernel CVE team has assigned CVE-2025-39817 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 3.9 with commit da27a24383b2b10bf6ebd0db29b325548aafecb4 and fixed in 5.4.298 with commit 0f63fbabeaaaaaaf5b742a2f4c1b4590d50bf1f6
	Issue introduced in 3.9 with commit da27a24383b2b10bf6ebd0db29b325548aafecb4 and fixed in 5.10.242 with commit 794399019301944fd6d2e0d7a51b3327e26c410e
	Issue introduced in 3.9 with commit da27a24383b2b10bf6ebd0db29b325548aafecb4 and fixed in 5.15.191 with commit 568e7761279b99c6daa3002290fd6d8047ddb6d2
	Issue introduced in 3.9 with commit da27a24383b2b10bf6ebd0db29b325548aafecb4 and fixed in 6.1.150 with commit d7f5e35e70507d10cbaff5f9e194ed54c4ee14f7
	Issue introduced in 3.9 with commit da27a24383b2b10bf6ebd0db29b325548aafecb4 and fixed in 6.6.104 with commit 925599eba46045930b850a98ae594d2e3028ac40
	Issue introduced in 3.9 with commit da27a24383b2b10bf6ebd0db29b325548aafecb4 and fixed in 6.12.45 with commit c2925cd6207079c3f4d040d082515db78d63afbf
	Issue introduced in 3.9 with commit da27a24383b2b10bf6ebd0db29b325548aafecb4 and fixed in 6.16.5 with commit 71581a82f38e5a4d807d71fc1bb59aead80ccf95
	Issue introduced in 3.9 with commit da27a24383b2b10bf6ebd0db29b325548aafecb4 and fixed in 6.17-rc4 with commit a6358f8cf64850f3f27857b8ed8c1b08cfc4685c
	Issue introduced in 3.8.2 with commit 688289c4b745c018b3449b4b4c5a2030083c8eaf

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-39817
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/efivarfs/super.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/0f63fbabeaaaaaaf5b742a2f4c1b4590d50bf1f6
	https://git.kernel.org/stable/c/794399019301944fd6d2e0d7a51b3327e26c410e
	https://git.kernel.org/stable/c/568e7761279b99c6daa3002290fd6d8047ddb6d2
	https://git.kernel.org/stable/c/d7f5e35e70507d10cbaff5f9e194ed54c4ee14f7
	https://git.kernel.org/stable/c/925599eba46045930b850a98ae594d2e3028ac40
	https://git.kernel.org/stable/c/c2925cd6207079c3f4d040d082515db78d63afbf
	https://git.kernel.org/stable/c/71581a82f38e5a4d807d71fc1bb59aead80ccf95
	https://git.kernel.org/stable/c/a6358f8cf64850f3f27857b8ed8c1b08cfc4685c

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ