| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120820-CVE-2025-40306-3e2f@gregkh> Date: Mon, 8 Dec 2025 09:47:30 +0900 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40306: orangefs: fix xattr related buffer overflow... From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau <w@....eu> forwarded me a message from Disclosure <disclosure@...le.com> with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr "security.capability" every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for "security.capability" resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture. The Linux kernel CVE team has assigned CVE-2025-40306 to this issue. Affected and fixed versions =========================== Fixed in 5.4.302 with commit c6564ff6b53c9a8dc786b6f1c51ae7688273f931 Fixed in 5.10.247 with commit ef892d2bf4f3fa2c8de1677dd307e678bdd3d865 Fixed in 5.15.197 with commit 15afebb9597449c444801d1ff0b8d8b311f950ab Fixed in 6.1.159 with commit bc812574de633cf9a9ad6974490e45f6a4bb5126 Fixed in 6.6.117 with commit e09a096104fc65859422817fb2211f35855983fe Fixed in 6.12.58 with commit 9127d1e90c90e5960c8bc72a4ce2c209691a7021 Fixed in 6.17.8 with commit c2ca015ac109fd743fdde27933d59dc5ad46658e Fixed in 6.18 with commit 025e880759c279ec64d0f754fe65bf45961da864 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40306 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/orangefs/xattr.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/c6564ff6b53c9a8dc786b6f1c51ae7688273f931 https://git.kernel.org/stable/c/ef892d2bf4f3fa2c8de1677dd307e678bdd3d865 https://git.kernel.org/stable/c/15afebb9597449c444801d1ff0b8d8b311f950ab https://git.kernel.org/stable/c/bc812574de633cf9a9ad6974490e45f6a4bb5126 https://git.kernel.org/stable/c/e09a096104fc65859422817fb2211f35855983fe https://git.kernel.org/stable/c/9127d1e90c90e5960c8bc72a4ce2c209691a7021 https://git.kernel.org/stable/c/c2ca015ac109fd743fdde27933d59dc5ad46658e https://git.kernel.org/stable/c/025e880759c279ec64d0f754fe65bf45961da864
Powered by blists - more mailing lists