Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2025 / CVE-2025-23150.json
blob: 239cee64975e0225cdd59d90cc8143c2b9fa73c4 [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix off-by-one error in do_split\n\nSyzkaller detected a use-after-free issue in ext4_insert_dentry that was\ncaused by out-of-bounds access due to incorrect splitting in do_split.\n\nBUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\nWrite of size 251 at addr ffff888074572f14 by task syz-executor335/5847\n\nCPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106\n ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\n add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154\n make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351\n ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455\n ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796\n ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431\n vfs_symlink+0x137/0x2e0 fs/namei.c:4615\n do_symlinkat+0x222/0x3a0 fs/namei.c:4641\n __do_sys_symlink fs/namei.c:4662 [inline]\n __se_sys_symlink fs/namei.c:4660 [inline]\n __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nThe following loop is located right above 'if' statement.\n\nfor (i = count-1; i >= 0; i--) {\n\t/* is more than half of this entry in 2nd half of the block? */\n\tif (size + map[i].size/2 > blocksize/2)\n\t\tbreak;\n\tsize += map[i].size;\n\tmove++;\n}\n\n'i' in this case could go down to -1, in which case sum of active entries\nwouldn't exceed half the block size, but previous behaviour would also do\nsplit in half if sum would exceed at the very last block, which in case of\nhaving too many long name files in a single block could lead to\nout-of-bounds access and following use-after-free.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/ext4/namei.c"
],
"versions": [
{
"version": "ea54176e5821936d109bb45dc2c19bd53559e735",
"lessThan": "b96bd2c3db26ad0daec5b78c85c098b53900e2e1",
"status": "affected",
"versionType": "git"
},
{
"version": "5872331b3d91820e14716632ebb56b1399b34fe1",
"lessThan": "515c34cff899eb5dae6aa7eee01c1295b07d81af",
"status": "affected",
"versionType": "git"
},
{
"version": "5872331b3d91820e14716632ebb56b1399b34fe1",
"lessThan": "2883e9e74f73f9265e5f8d1aaaa89034b308e433",
"status": "affected",
"versionType": "git"
},
{
"version": "5872331b3d91820e14716632ebb56b1399b34fe1",
"lessThan": "35d0aa6db9d93307085871ceab8a729594a98162",
"status": "affected",
"versionType": "git"
},
{
"version": "5872331b3d91820e14716632ebb56b1399b34fe1",
"lessThan": "2eeb1085bf7bd5c7ba796ca4119925fa5d336a3f",
"status": "affected",
"versionType": "git"
},
{
"version": "5872331b3d91820e14716632ebb56b1399b34fe1",
"lessThan": "16d9067f00e3a7d1df7c3aa9c20d214923d27e10",
"status": "affected",
"versionType": "git"
},
{
"version": "5872331b3d91820e14716632ebb56b1399b34fe1",
"lessThan": "17df39f455f1289319d4d09e4826aa46852ffd17",
"status": "affected",
"versionType": "git"
},
{
"version": "5872331b3d91820e14716632ebb56b1399b34fe1",
"lessThan": "ab0cc5c25552ae0d20eae94b40a93be11b080fc5",
"status": "affected",
"versionType": "git"
},
{
"version": "5872331b3d91820e14716632ebb56b1399b34fe1",
"lessThan": "94824ac9a8aaf2fb3c54b4bdde842db80ffa555d",
"status": "affected",
"versionType": "git"
},
{
"version": "059b1480105478c5f68cf664301545b8cad6a7cf",
"status": "affected",
"versionType": "git"
},
{
"version": "539ae3e03875dacaa9c388aff141ccbb4ef4ecb5",
"status": "affected",
"versionType": "git"
},
{
"version": "fbbfd55a40d5d0806b59ee0403c75d5ac517533f",
"status": "affected",
"versionType": "git"
},
{
"version": "b3ddf6ba5e28a57729fff1605ae08e21be5c92e3",
"status": "affected",
"versionType": "git"
},
{
"version": "e50fe43e3062e18846e99d9646b9c07b097eb1ed",
"status": "affected",
"versionType": "git"
},
{
"version": "88e79f7a9841278fa8ff7ff6178bad12da002ffc",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/ext4/namei.c"
],
"versions": [
{
"version": "5.9",
"status": "affected"
},
{
"version": "0",
"lessThan": "5.9",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.4.293",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.237",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.181",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.135",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.88",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.24",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13.12",
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.14.3",
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.15",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.61",
"versionEndExcluding": "5.4.293"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9",
"versionEndExcluding": "5.10.237"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9",
"versionEndExcluding": "5.15.181"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9",
"versionEndExcluding": "6.1.135"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9",
"versionEndExcluding": "6.6.88"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9",
"versionEndExcluding": "6.12.24"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9",
"versionEndExcluding": "6.13.12"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9",
"versionEndExcluding": "6.14.3"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9",
"versionEndExcluding": "6.15"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.234"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.234"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.195"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.142"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.7.18"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.4"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/b96bd2c3db26ad0daec5b78c85c098b53900e2e1"
},
{
"url": "https://git.kernel.org/stable/c/515c34cff899eb5dae6aa7eee01c1295b07d81af"
},
{
"url": "https://git.kernel.org/stable/c/2883e9e74f73f9265e5f8d1aaaa89034b308e433"
},
{
"url": "https://git.kernel.org/stable/c/35d0aa6db9d93307085871ceab8a729594a98162"
},
{
"url": "https://git.kernel.org/stable/c/2eeb1085bf7bd5c7ba796ca4119925fa5d336a3f"
},
{
"url": "https://git.kernel.org/stable/c/16d9067f00e3a7d1df7c3aa9c20d214923d27e10"
},
{
"url": "https://git.kernel.org/stable/c/17df39f455f1289319d4d09e4826aa46852ffd17"
},
{
"url": "https://git.kernel.org/stable/c/ab0cc5c25552ae0d20eae94b40a93be11b080fc5"
},
{
"url": "https://git.kernel.org/stable/c/94824ac9a8aaf2fb3c54b4bdde842db80ffa555d"
}
],
"title": "ext4: fix off-by-one error in do_split",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2025-23150",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}