lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025111255-CVE-2025-40137-3047@gregkh>
Date: Wed, 12 Nov 2025 19:24:13 +0900
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-40137: f2fs: fix to truncate first page in error path of f2fs_truncate()

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to truncate first page in error path of f2fs_truncate()

syzbot reports a bug as below:

loop0: detected capacity change from 0 to 40427
F2FS-fs (loop0): Wrong SSA boundary, start(3584) end(4096) blocks(3072)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
F2FS-fs (loop0): invalid crc value
F2FS-fs (loop0): f2fs_convert_inline_folio: corrupted inline inode ino=3, i_addr[0]:0x1601, run fsck to fix.
------------[ cut here ]------------
kernel BUG at fs/inode.c:753!
RIP: 0010:clear_inode+0x169/0x190 fs/inode.c:753
Call Trace:
 <TASK>
 evict+0x504/0x9c0 fs/inode.c:810
 f2fs_fill_super+0x5612/0x6fa0 fs/f2fs/super.c:5047
 get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1692
 vfs_get_tree+0x8f/0x2b0 fs/super.c:1815
 do_new_mount+0x2a2/0x9e0 fs/namespace.c:3808
 do_mount fs/namespace.c:4136 [inline]
 __do_sys_mount fs/namespace.c:4347 [inline]
 __se_sys_mount+0x317/0x410 fs/namespace.c:4324
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

During f2fs_evict_inode(), clear_inode() detects that we missed to truncate
all page cache before destorying inode, that is because in below path, we
will create page #0 in cache, but missed to drop it in error path, let's fix
it.

- evict
 - f2fs_evict_inode
  - f2fs_truncate
   - f2fs_convert_inline_inode
    - f2fs_grab_cache_folio
    : create page #0 in cache
    - f2fs_convert_inline_folio
    : sanity check failed, return -EFSCORRUPTED
  - clear_inode detects that inode->i_data.nrpages is not zero

The Linux kernel CVE team has assigned CVE-2025-40137 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 3.19 with commit 92dffd01790a5219d234fc83c3ba854f4490b7f4 and fixed in 6.6.112 with commit 83a8e4efea022506a0e049e7206bdf8be9f78148
	Issue introduced in 3.19 with commit 92dffd01790a5219d234fc83c3ba854f4490b7f4 and fixed in 6.12.53 with commit a7b7ebdd7045a36454b3e388a2ecf50344fad9e6
	Issue introduced in 3.19 with commit 92dffd01790a5219d234fc83c3ba854f4490b7f4 and fixed in 6.17.3 with commit 3b0c8908faa18cded84d64822882a830ab1f4d26
	Issue introduced in 3.19 with commit 92dffd01790a5219d234fc83c3ba854f4490b7f4 and fixed in 6.18-rc1 with commit 9251a9e6e871cb03c4714a18efa8f5d4a8818450

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-40137
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/f2fs/file.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/83a8e4efea022506a0e049e7206bdf8be9f78148
	https://git.kernel.org/stable/c/a7b7ebdd7045a36454b3e388a2ecf50344fad9e6
	https://git.kernel.org/stable/c/3b0c8908faa18cded84d64822882a830ab1f4d26
	https://git.kernel.org/stable/c/9251a9e6e871cb03c4714a18efa8f5d4a8818450

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ