cve/published/2025/CVE-2025-37742.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37742: jfs: Fix uninit-value access of imap allocated in the diMount() function

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 jfs: Fix uninit-value access of imap allocated in the diMount() function

 syzbot reports that hex_dump_to_buffer is using uninit-value:

 =====================================================
 BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
 hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
 print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
 diFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876
 jfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156
 evict+0x723/0xd10 fs/inode.c:796
 iput_final fs/inode.c:1946 [inline]
 iput+0x97b/0xdb0 fs/inode.c:1972
 txUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x6b9/0xef0 kernel/kthread.c:464
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

 Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4121 [inline]
 slab_alloc_node mm/slub.c:4164 [inline]
 __kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320
 kmalloc_noprof include/linux/slab.h:901 [inline]
 diMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105
 jfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176
 jfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523
 get_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636
 get_tree_bdev+0x37/0x50 fs/super.c:1659
 jfs_get_tree+0x34/0x40 fs/jfs/super.c:635
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
 path_mount+0x742/0x1f10 fs/namespace.c:3887
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount+0x71f/0x800 fs/namespace.c:4088
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
 =====================================================

 The reason is that imap is not properly initialized after memory
 allocation. It will cause the snprintf() function to write uninitialized
 data into linebuf within hex_dump_to_buffer().

 Fix this by using kzalloc instead of kmalloc to clear its content at the
 beginning in diMount().

 The Linux kernel CVE team has assigned CVE-2025-37742 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.15.181 with commit 4f10732712fce33e53703ffe5ed9155f23814097
 	Fixed in 6.1.135 with commit cab1852368dd74d629ee02abdbc559218ca64dde
 	Fixed in 6.6.88 with commit 067347e00a3a7d04afed93f080c6c131e5dd15ee
 	Fixed in 6.12.24 with commit 63148ce4904faa668daffdd1d3c1199ae315ef2c
 	Fixed in 6.13.12 with commit 7057f3aab47629d38e54eae83505813cf0da1e4b
 	Fixed in 6.14.3 with commit d0d7eca253ccd0619b3d2b683ffe32218ebca9ac
 	Fixed in 6.15 with commit 9629d7d66c621671d9a47afe27ca9336bfc8a9ea

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37742
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/jfs/jfs_imap.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/4f10732712fce33e53703ffe5ed9155f23814097
 	https://git.kernel.org/stable/c/cab1852368dd74d629ee02abdbc559218ca64dde
 	https://git.kernel.org/stable/c/067347e00a3a7d04afed93f080c6c131e5dd15ee
 	https://git.kernel.org/stable/c/63148ce4904faa668daffdd1d3c1199ae315ef2c
 	https://git.kernel.org/stable/c/7057f3aab47629d38e54eae83505813cf0da1e4b
 	https://git.kernel.org/stable/c/d0d7eca253ccd0619b3d2b683ffe32218ebca9ac
 	https://git.kernel.org/stable/c/9629d7d66c621671d9a47afe27ca9336bfc8a9ea
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37742: jfs: Fix uninit-value access of imap allocated in the diMount() function

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	jfs: Fix uninit-value access of imap allocated in the diMount() function

	syzbot reports that hex_dump_to_buffer is using uninit-value:

	=====================================================
	BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
	hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
	print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
	diFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876
	jfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156
	evict+0x723/0xd10 fs/inode.c:796
	iput_final fs/inode.c:1946 [inline]
	iput+0x97b/0xdb0 fs/inode.c:1972
	txUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367
	txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
	jfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733
	kthread+0x6b9/0xef0 kernel/kthread.c:464
	ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148
	ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

	Uninit was created at:
	slab_post_alloc_hook mm/slub.c:4121 [inline]
	slab_alloc_node mm/slub.c:4164 [inline]
	__kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320
	kmalloc_noprof include/linux/slab.h:901 [inline]
	diMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105
	jfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176
	jfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523
	get_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636
	get_tree_bdev+0x37/0x50 fs/super.c:1659
	jfs_get_tree+0x34/0x40 fs/jfs/super.c:635
	vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
	do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
	path_mount+0x742/0x1f10 fs/namespace.c:3887
	do_mount fs/namespace.c:3900 [inline]
	__do_sys_mount fs/namespace.c:4111 [inline]
	__se_sys_mount+0x71f/0x800 fs/namespace.c:4088
	__x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
	x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f
	=====================================================

	The reason is that imap is not properly initialized after memory
	allocation. It will cause the snprintf() function to write uninitialized
	data into linebuf within hex_dump_to_buffer().

	Fix this by using kzalloc instead of kmalloc to clear its content at the
	beginning in diMount().

	The Linux kernel CVE team has assigned CVE-2025-37742 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.15.181 with commit 4f10732712fce33e53703ffe5ed9155f23814097
	Fixed in 6.1.135 with commit cab1852368dd74d629ee02abdbc559218ca64dde
	Fixed in 6.6.88 with commit 067347e00a3a7d04afed93f080c6c131e5dd15ee
	Fixed in 6.12.24 with commit 63148ce4904faa668daffdd1d3c1199ae315ef2c
	Fixed in 6.13.12 with commit 7057f3aab47629d38e54eae83505813cf0da1e4b
	Fixed in 6.14.3 with commit d0d7eca253ccd0619b3d2b683ffe32218ebca9ac
	Fixed in 6.15 with commit 9629d7d66c621671d9a47afe27ca9336bfc8a9ea

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37742
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/jfs/jfs_imap.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/4f10732712fce33e53703ffe5ed9155f23814097
	https://git.kernel.org/stable/c/cab1852368dd74d629ee02abdbc559218ca64dde
	https://git.kernel.org/stable/c/067347e00a3a7d04afed93f080c6c131e5dd15ee
	https://git.kernel.org/stable/c/63148ce4904faa668daffdd1d3c1199ae315ef2c
	https://git.kernel.org/stable/c/7057f3aab47629d38e54eae83505813cf0da1e4b
	https://git.kernel.org/stable/c/d0d7eca253ccd0619b3d2b683ffe32218ebca9ac
	https://git.kernel.org/stable/c/9629d7d66c621671d9a47afe27ca9336bfc8a9ea