cve/published/2025/CVE-2025-37780.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37780: isofs: Prevent the use of too small fid

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 isofs: Prevent the use of too small fid

 syzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1]

 The handle_bytes value passed in by the reproducing program is equal to 12.
 In handle_to_path(), only 12 bytes of memory are allocated for the structure
 file_handle->f_handle member, which causes an out-of-bounds access when
 accessing the member parent_block of the structure isofs_fid in isofs,
 because accessing parent_block requires at least 16 bytes of f_handle.
 Here, fh_len is used to indirectly confirm that the value of handle_bytes
 is greater than 3 before accessing parent_block.

 [1]
 BUG: KASAN: slab-out-of-bounds in isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183
 Read of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466
 CPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
 Call trace:
  show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
  __dump_stack lib/dump_stack.c:94 [inline]
  dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
  print_address_description mm/kasan/report.c:408 [inline]
  print_report+0x198/0x550 mm/kasan/report.c:521
  kasan_report+0xd8/0x138 mm/kasan/report.c:634
  __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
  isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183
  exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523
  do_handle_to_path+0xa0/0x198 fs/fhandle.c:257
  handle_to_path fs/fhandle.c:385 [inline]
  do_handle_open+0x8cc/0xb8c fs/fhandle.c:403
  __do_sys_open_by_handle_at fs/fhandle.c:443 [inline]
  __se_sys_open_by_handle_at fs/fhandle.c:434 [inline]
  __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434
  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
  el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
  el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
  el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

 Allocated by task 6466:
  kasan_save_stack mm/kasan/common.c:47 [inline]
  kasan_save_track+0x40/0x78 mm/kasan/common.c:68
  kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562
  poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
  __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394
  kasan_kmalloc include/linux/kasan.h:260 [inline]
  __do_kmalloc_node mm/slub.c:4294 [inline]
  __kmalloc_noprof+0x32c/0x54c mm/slub.c:4306
  kmalloc_noprof include/linux/slab.h:905 [inline]
  handle_to_path fs/fhandle.c:357 [inline]
  do_handle_open+0x5a4/0xb8c fs/fhandle.c:403
  __do_sys_open_by_handle_at fs/fhandle.c:443 [inline]
  __se_sys_open_by_handle_at fs/fhandle.c:434 [inline]
  __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434
  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
  el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
  el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
  el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

 The Linux kernel CVE team has assigned CVE-2025-37780 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.293 with commit ee01a309ebf598be1ff8174901ed6e91619f1749
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.237 with commit 5e7de55602c61c8ff28db075cc49c8dd6989d7e0
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.181 with commit 63d5a3e207bf315a32c7d16de6c89753a759f95a
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.135 with commit 0fdafdaef796816a9ed0fd7ac812932d569d9beb
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.88 with commit 952e7a7e317f126d0a2b879fc531b716932d5ffa
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.12.25 with commit 56dfffea9fd3be0b3795a9ca6401e133a8427e0b
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.14.4 with commit 007124c896e7d4614ac1f6bd4dedb975c35a2a8e
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.15 with commit 0405d4b63d082861f4eaff9d39c78ee9dc34f845

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37780
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/isofs/export.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ee01a309ebf598be1ff8174901ed6e91619f1749
 	https://git.kernel.org/stable/c/5e7de55602c61c8ff28db075cc49c8dd6989d7e0
 	https://git.kernel.org/stable/c/63d5a3e207bf315a32c7d16de6c89753a759f95a
 	https://git.kernel.org/stable/c/0fdafdaef796816a9ed0fd7ac812932d569d9beb
 	https://git.kernel.org/stable/c/952e7a7e317f126d0a2b879fc531b716932d5ffa
 	https://git.kernel.org/stable/c/56dfffea9fd3be0b3795a9ca6401e133a8427e0b
 	https://git.kernel.org/stable/c/007124c896e7d4614ac1f6bd4dedb975c35a2a8e
 	https://git.kernel.org/stable/c/0405d4b63d082861f4eaff9d39c78ee9dc34f845
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37780: isofs: Prevent the use of too small fid

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	isofs: Prevent the use of too small fid

	syzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1]

	The handle_bytes value passed in by the reproducing program is equal to 12.
	In handle_to_path(), only 12 bytes of memory are allocated for the structure
	file_handle->f_handle member, which causes an out-of-bounds access when
	accessing the member parent_block of the structure isofs_fid in isofs,
	because accessing parent_block requires at least 16 bytes of f_handle.
	Here, fh_len is used to indirectly confirm that the value of handle_bytes
	is greater than 3 before accessing parent_block.

	[1]
	BUG: KASAN: slab-out-of-bounds in isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183
	Read of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466
	CPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
	Call trace:
	show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
	__dump_stack lib/dump_stack.c:94 [inline]
	dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
	print_address_description mm/kasan/report.c:408 [inline]
	print_report+0x198/0x550 mm/kasan/report.c:521
	kasan_report+0xd8/0x138 mm/kasan/report.c:634
	__asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
	isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183
	exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523
	do_handle_to_path+0xa0/0x198 fs/fhandle.c:257
	handle_to_path fs/fhandle.c:385 [inline]
	do_handle_open+0x8cc/0xb8c fs/fhandle.c:403
	__do_sys_open_by_handle_at fs/fhandle.c:443 [inline]
	__se_sys_open_by_handle_at fs/fhandle.c:434 [inline]
	__arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434
	__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
	invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
	el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
	do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
	el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
	el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
	el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

	Allocated by task 6466:
	kasan_save_stack mm/kasan/common.c:47 [inline]
	kasan_save_track+0x40/0x78 mm/kasan/common.c:68
	kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562
	poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
	__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394
	kasan_kmalloc include/linux/kasan.h:260 [inline]
	__do_kmalloc_node mm/slub.c:4294 [inline]
	__kmalloc_noprof+0x32c/0x54c mm/slub.c:4306
	kmalloc_noprof include/linux/slab.h:905 [inline]
	handle_to_path fs/fhandle.c:357 [inline]
	do_handle_open+0x5a4/0xb8c fs/fhandle.c:403
	__do_sys_open_by_handle_at fs/fhandle.c:443 [inline]
	__se_sys_open_by_handle_at fs/fhandle.c:434 [inline]
	__arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434
	__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
	invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
	el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
	do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
	el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
	el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
	el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

	The Linux kernel CVE team has assigned CVE-2025-37780 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.293 with commit ee01a309ebf598be1ff8174901ed6e91619f1749
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.237 with commit 5e7de55602c61c8ff28db075cc49c8dd6989d7e0
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.181 with commit 63d5a3e207bf315a32c7d16de6c89753a759f95a
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.135 with commit 0fdafdaef796816a9ed0fd7ac812932d569d9beb
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.88 with commit 952e7a7e317f126d0a2b879fc531b716932d5ffa
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.12.25 with commit 56dfffea9fd3be0b3795a9ca6401e133a8427e0b
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.14.4 with commit 007124c896e7d4614ac1f6bd4dedb975c35a2a8e
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.15 with commit 0405d4b63d082861f4eaff9d39c78ee9dc34f845

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37780
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/isofs/export.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ee01a309ebf598be1ff8174901ed6e91619f1749
	https://git.kernel.org/stable/c/5e7de55602c61c8ff28db075cc49c8dd6989d7e0
	https://git.kernel.org/stable/c/63d5a3e207bf315a32c7d16de6c89753a759f95a
	https://git.kernel.org/stable/c/0fdafdaef796816a9ed0fd7ac812932d569d9beb
	https://git.kernel.org/stable/c/952e7a7e317f126d0a2b879fc531b716932d5ffa
	https://git.kernel.org/stable/c/56dfffea9fd3be0b3795a9ca6401e133a8427e0b
	https://git.kernel.org/stable/c/007124c896e7d4614ac1f6bd4dedb975c35a2a8e
	https://git.kernel.org/stable/c/0405d4b63d082861f4eaff9d39c78ee9dc34f845