| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026011757-shrivel-take-208f@gregkh>
Date: Sat, 17 Jan 2026 16:21:13 +0100
From: Greg Kroah-Hartman <gregkh@...nel.org>
To: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
linux-cve-announce@...r.kernel.org
Subject: Re: CVE-2025-68212: fs: Fix uninitialized 'offp' in
statmount_string()
On Sat, Jan 17, 2026 at 08:13:21PM +0530, Harshit Mogalapalli wrote:
> Hi Greg,
>
>
> On 16/12/25 19:27, Greg Kroah-Hartman wrote:
> > From: Greg Kroah-Hartman <gregkh@...nel.org>
> >
> > Description
> > ===========
> >
> > In the Linux kernel, the following vulnerability has been resolved:
> >
> > fs: Fix uninitialized 'offp' in statmount_string()
> >
> > In statmount_string(), most flags assign an output offset pointer (offp)
> > which is later updated with the string offset. However, the
> > STATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the
> > struct fields instead of using offp. This leaves offp uninitialized,
> > leading to a possible uninitialized dereference when *offp is updated.
> >
> > Fix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code
> > path consistent.
> >
> > The Linux kernel CVE team has assigned CVE-2025-68212 to this issue.
> >
> >
> > Affected and fixed versions
> > ===========================
> >
> > Issue introduced in 6.14 with commit e52e97f09fb66fd868260d05bd6b74a9a3db39ee and fixed in 6.17.10 with commit acfde9400e611c8d2668f1c70053c4a1d6ecfc36
> > Issue introduced in 6.14 with commit e52e97f09fb66fd868260d05bd6b74a9a3db39ee and fixed in 6.18 with commit 0778ac7df5137d5041783fadfc201f8fd55a1d9b
> > Issue introduced in 6.12.14 with commit d49c64c1d723c167f521833f429ab28d3ca7e0d9
> > Issue introduced in 6.13.3 with commit c3787a4fae66e710543137b4b1b073cb2bff3bca
> >
>
> I have reviewed the broken commit/vulnerable commit for this:
>
> Probably the logic in scripts is to find the oldest Fixes tag if there are
> more than one Fixes' tags in the commit message:
Yes, that is true.
>
> commit 0778ac7df5137d5041783fadfc201f8fd55a1d9b
> Author: Zhen Ni <zhen.ni@...ystack.cn>
> Date: Mon Oct 13 19:41:51 2025 +0800
>
> fs: Fix uninitialized 'offp' in statmount_string()
>
> In statmount_string(), most flags assign an output offset pointer (offp)
> which is later updated with the string offset. However, the
> STATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the
> struct fields instead of using offp. This leaves offp uninitialized,
> leading to a possible uninitialized dereference when *offp is updated.
>
> Fix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code
> path consistent.
>
> Fixes: 37c4a9590e1e ("statmount: allow to retrieve idmappings")
> Fixes: e52e97f09fb6 ("statmount: let unset strings be empty")
>
>
> For the CVE fix, the actual broken commit which is more appropriate is
> 37c4a9590e1e introduces the STATMOUNT_MNT_{U,G}IDMAP cases but only
> writes sm->mnt_* = start while leaving offp unset, so the shared tail of
> statmount_string() later dereferences an uninitialised pointer.
>
> Hence 37c4a9590e1e is probably the more appropriate vulnerable commit for
> this CVE.
>
> Should I send a patch to add CVE-2025-68212.vulnerable for getting it
> updated correctly ?
Please do!
thanks
greg k-h
Powered by blists - more mailing lists