| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025111247-CVE-2025-40205-ad43@gregkh> Date: Wed, 12 Nov 2025 17:01:08 -0500 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40205: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT (10 dwords, 40 bytes). If *max_len is not large enough, this write goes out of bounds because BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than BTRFS_FID_SIZE_CONNECTABLE originally returned. This results in an 8-byte out-of-bounds write at fid->parent_root_objectid = parent_root_id. A previous attempt to fix this issue was made but was lost. https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/ Although this issue does not seem to be easily triggerable, it is a potential memory corruption bug that should be fixed. This patch resolves the issue by ensuring the function returns the appropriate size for all three cases and validates that *max_len is large enough before writing any data. The Linux kernel CVE team has assigned CVE-2025-40205 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.29 with commit be6e8dc0ba84029997075a1ec77b4ddb863cbe15 and fixed in 5.4.301 with commit 60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db Issue introduced in 2.6.29 with commit be6e8dc0ba84029997075a1ec77b4ddb863cbe15 and fixed in 5.10.246 with commit 742b44342204e5dfe3926433823623c1a0c581df Issue introduced in 2.6.29 with commit be6e8dc0ba84029997075a1ec77b4ddb863cbe15 and fixed in 5.15.195 with commit d3a9a8e1275eb9b87f006b5562a287aea3f6885f Issue introduced in 2.6.29 with commit be6e8dc0ba84029997075a1ec77b4ddb863cbe15 and fixed in 6.1.157 with commit d91f6626133698362bba08fbc04bd72c466806d3 Issue introduced in 2.6.29 with commit be6e8dc0ba84029997075a1ec77b4ddb863cbe15 and fixed in 6.6.113 with commit 0276c8582488022f057b4cec21975a5edf079f47 Issue introduced in 2.6.29 with commit be6e8dc0ba84029997075a1ec77b4ddb863cbe15 and fixed in 6.12.54 with commit 361d67276eb8ec6be8f27f4ad6c6090459438fee Issue introduced in 2.6.29 with commit be6e8dc0ba84029997075a1ec77b4ddb863cbe15 and fixed in 6.17.4 with commit 43143776b0a7604d873d1a6f3e552a00aa930224 Issue introduced in 2.6.29 with commit be6e8dc0ba84029997075a1ec77b4ddb863cbe15 and fixed in 6.18-rc1 with commit dff4f9ff5d7f289e4545cc936362e01ed3252742 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40205 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/btrfs/export.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db https://git.kernel.org/stable/c/742b44342204e5dfe3926433823623c1a0c581df https://git.kernel.org/stable/c/d3a9a8e1275eb9b87f006b5562a287aea3f6885f https://git.kernel.org/stable/c/d91f6626133698362bba08fbc04bd72c466806d3 https://git.kernel.org/stable/c/0276c8582488022f057b4cec21975a5edf079f47 https://git.kernel.org/stable/c/361d67276eb8ec6be8f27f4ad6c6090459438fee https://git.kernel.org/stable/c/43143776b0a7604d873d1a6f3e552a00aa930224 https://git.kernel.org/stable/c/dff4f9ff5d7f289e4545cc936362e01ed3252742
Powered by blists - more mailing lists