cve/published/2025/CVE-2025-21721.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21721: nilfs2: handle errors that nilfs_prepare_chunk() may return

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nilfs2: handle errors that nilfs_prepare_chunk() may return

 Patch series "nilfs2: fix issues with rename operations".

 This series fixes BUG_ON check failures reported by syzbot around rename
 operations, and a minor behavioral issue where the mtime of a child
 directory changes when it is renamed instead of moved.


 This patch (of 2):

 The directory manipulation routines nilfs_set_link() and
 nilfs_delete_entry() rewrite the directory entry in the folio/page
 previously read by nilfs_find_entry(), so error handling is omitted on the
 assumption that nilfs_prepare_chunk(), which prepares the buffer for
 rewriting, will always succeed for these.  And if an error is returned, it
 triggers the legacy BUG_ON() checks in each routine.

 This assumption is wrong, as proven by syzbot: the buffer layer called by
 nilfs_prepare_chunk() may call nilfs_get_block() if necessary, which may
 fail due to metadata corruption or other reasons.  This has been there all
 along, but improved sanity checks and error handling may have made it more
 reproducible in fuzzing tests.

 Fix this issue by adding missing error paths in nilfs_set_link(),
 nilfs_delete_entry(), and their caller nilfs_rename().

 The Linux kernel CVE team has assigned CVE-2025-21721 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.4.291 with commit b38c6c260c2415c7f0968871305e7a093daabb4c
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.10.235 with commit f70bd2d8ca454e0ed78970f72147ca321dbaa015
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.15.179 with commit 607dc724b162f4452dc768865e578c1a509a1c8c
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.1.131 with commit 1ee2d454baa361d2964e3e2f2cca9ee3f769d93c
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.6.80 with commit 7891ac3b0a5c56f7148af507306308ab841cdc31
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.12.13 with commit eddd3176b8c4c83a46ab974574cda7c3dfe09388
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.13.2 with commit 481136234dfe96c7f92770829bec6111c7c5f5dd
 	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.14 with commit ee70999a988b8abc3490609142f50ebaa8344432

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21721
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/nilfs2/dir.c
 	fs/nilfs2/namei.c
 	fs/nilfs2/nilfs.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b38c6c260c2415c7f0968871305e7a093daabb4c
 	https://git.kernel.org/stable/c/f70bd2d8ca454e0ed78970f72147ca321dbaa015
 	https://git.kernel.org/stable/c/607dc724b162f4452dc768865e578c1a509a1c8c
 	https://git.kernel.org/stable/c/1ee2d454baa361d2964e3e2f2cca9ee3f769d93c
 	https://git.kernel.org/stable/c/7891ac3b0a5c56f7148af507306308ab841cdc31
 	https://git.kernel.org/stable/c/eddd3176b8c4c83a46ab974574cda7c3dfe09388
 	https://git.kernel.org/stable/c/481136234dfe96c7f92770829bec6111c7c5f5dd
 	https://git.kernel.org/stable/c/ee70999a988b8abc3490609142f50ebaa8344432
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21721: nilfs2: handle errors that nilfs_prepare_chunk() may return

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nilfs2: handle errors that nilfs_prepare_chunk() may return

	Patch series "nilfs2: fix issues with rename operations".

	This series fixes BUG_ON check failures reported by syzbot around rename
	operations, and a minor behavioral issue where the mtime of a child
	directory changes when it is renamed instead of moved.


	This patch (of 2):

	The directory manipulation routines nilfs_set_link() and
	nilfs_delete_entry() rewrite the directory entry in the folio/page
	previously read by nilfs_find_entry(), so error handling is omitted on the
	assumption that nilfs_prepare_chunk(), which prepares the buffer for
	rewriting, will always succeed for these. And if an error is returned, it
	triggers the legacy BUG_ON() checks in each routine.

	This assumption is wrong, as proven by syzbot: the buffer layer called by
	nilfs_prepare_chunk() may call nilfs_get_block() if necessary, which may
	fail due to metadata corruption or other reasons. This has been there all
	along, but improved sanity checks and error handling may have made it more
	reproducible in fuzzing tests.

	Fix this issue by adding missing error paths in nilfs_set_link(),
	nilfs_delete_entry(), and their caller nilfs_rename().

	The Linux kernel CVE team has assigned CVE-2025-21721 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.4.291 with commit b38c6c260c2415c7f0968871305e7a093daabb4c
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.10.235 with commit f70bd2d8ca454e0ed78970f72147ca321dbaa015
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 5.15.179 with commit 607dc724b162f4452dc768865e578c1a509a1c8c
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.1.131 with commit 1ee2d454baa361d2964e3e2f2cca9ee3f769d93c
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.6.80 with commit 7891ac3b0a5c56f7148af507306308ab841cdc31
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.12.13 with commit eddd3176b8c4c83a46ab974574cda7c3dfe09388
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.13.2 with commit 481136234dfe96c7f92770829bec6111c7c5f5dd
	Issue introduced in 2.6.30 with commit 2ba466d74ed74f073257f86e61519cb8f8f46184 and fixed in 6.14 with commit ee70999a988b8abc3490609142f50ebaa8344432

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21721
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/nilfs2/dir.c
	fs/nilfs2/namei.c
	fs/nilfs2/nilfs.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b38c6c260c2415c7f0968871305e7a093daabb4c
	https://git.kernel.org/stable/c/f70bd2d8ca454e0ed78970f72147ca321dbaa015
	https://git.kernel.org/stable/c/607dc724b162f4452dc768865e578c1a509a1c8c
	https://git.kernel.org/stable/c/1ee2d454baa361d2964e3e2f2cca9ee3f769d93c
	https://git.kernel.org/stable/c/7891ac3b0a5c56f7148af507306308ab841cdc31
	https://git.kernel.org/stable/c/eddd3176b8c4c83a46ab974574cda7c3dfe09388
	https://git.kernel.org/stable/c/481136234dfe96c7f92770829bec6111c7c5f5dd
	https://git.kernel.org/stable/c/ee70999a988b8abc3490609142f50ebaa8344432