cve/published/2025/CVE-2025-37739.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37739: f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()

 syzbot reports an UBSAN issue as below:

 ------------[ cut here ]------------
 UBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10
 index 18446744073709550692 is out of range for type '__le32[5]' (aka 'unsigned int[5]')
 CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:94 [inline]
  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
  ubsan_epilogue lib/ubsan.c:231 [inline]
  __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
  get_nid fs/f2fs/node.h:381 [inline]
  f2fs_truncate_inode_blocks+0xa5e/0xf60 fs/f2fs/node.c:1181
  f2fs_do_truncate_blocks+0x782/0x1030 fs/f2fs/file.c:808
  f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:836
  f2fs_truncate+0x417/0x720 fs/f2fs/file.c:886
  f2fs_file_write_iter+0x1bdb/0x2550 fs/f2fs/file.c:5093
  aio_write+0x56b/0x7c0 fs/aio.c:1633
  io_submit_one+0x8a7/0x18a0 fs/aio.c:2052
  __do_sys_io_submit fs/aio.c:2111 [inline]
  __se_sys_io_submit+0x171/0x2e0 fs/aio.c:2081
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f
 RIP: 0033:0x7f238798cde9

 index 18446744073709550692 (decimal, unsigned long long)
 = 0xfffffffffffffc64 (hexadecimal, unsigned long long)
 = -924 (decimal, long long)

 In f2fs_truncate_inode_blocks(), UBSAN detects that get_nid() tries to
 access .i_nid[-924], it means both offset[0] and level should zero.

 The possible case should be in f2fs_do_truncate_blocks(), we try to
 truncate inode size to zero, however, dn.ofs_in_node is zero and
 dn.node_page is not an inode page, so it fails to truncate inode page,
 and then pass zeroed free_from to f2fs_truncate_inode_blocks(), result
 in this issue.

 	if (dn.ofs_in_node || IS_INODE(dn.node_page)) {
 		f2fs_truncate_data_blocks_range(&dn, count);
 		free_from += count;
 	}

 I guess the reason why dn.node_page is not an inode page could be: there
 are multiple nat entries share the same node block address, once the node
 block address was reused, f2fs_get_node_page() may load a non-inode block.

 Let's add a sanity check for such condition to avoid out-of-bounds access
 issue.

 The Linux kernel CVE team has assigned CVE-2025-37739 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.10.237 with commit a67e1bf03c609a751d1740a1789af25e599966fa
 	Fixed in 5.15.181 with commit 67e16ccba74dd8de0a7b10062f1e02d77432f573
 	Fixed in 6.1.135 with commit 98dbf2af63de0b551082c9bc48333910e009b09f
 	Fixed in 6.6.88 with commit 8b5e5aac44fee122947a269f9034c048e4c295de
 	Fixed in 6.12.24 with commit ecc461331604b07cdbdb7360dbdf78471653264c
 	Fixed in 6.13.12 with commit d7242fd7946d4cba0411effb6b5048ca55125747
 	Fixed in 6.14.3 with commit 6ba8b41d0aa4b82f90f0c416cb53fcef9696525d
 	Fixed in 6.15 with commit e6494977bd4a83862118a05f57a8df40256951c0

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37739
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/f2fs/node.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/a67e1bf03c609a751d1740a1789af25e599966fa
 	https://git.kernel.org/stable/c/67e16ccba74dd8de0a7b10062f1e02d77432f573
 	https://git.kernel.org/stable/c/98dbf2af63de0b551082c9bc48333910e009b09f
 	https://git.kernel.org/stable/c/8b5e5aac44fee122947a269f9034c048e4c295de
 	https://git.kernel.org/stable/c/ecc461331604b07cdbdb7360dbdf78471653264c
 	https://git.kernel.org/stable/c/d7242fd7946d4cba0411effb6b5048ca55125747
 	https://git.kernel.org/stable/c/6ba8b41d0aa4b82f90f0c416cb53fcef9696525d
 	https://git.kernel.org/stable/c/e6494977bd4a83862118a05f57a8df40256951c0
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37739: f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()

	syzbot reports an UBSAN issue as below:

	------------[ cut here ]------------
	UBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10
	index 18446744073709550692 is out of range for type '__le32[5]' (aka 'unsigned int[5]')
	CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:94 [inline]
	dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
	ubsan_epilogue lib/ubsan.c:231 [inline]
	__ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
	get_nid fs/f2fs/node.h:381 [inline]
	f2fs_truncate_inode_blocks+0xa5e/0xf60 fs/f2fs/node.c:1181
	f2fs_do_truncate_blocks+0x782/0x1030 fs/f2fs/file.c:808
	f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:836
	f2fs_truncate+0x417/0x720 fs/f2fs/file.c:886
	f2fs_file_write_iter+0x1bdb/0x2550 fs/f2fs/file.c:5093
	aio_write+0x56b/0x7c0 fs/aio.c:1633
	io_submit_one+0x8a7/0x18a0 fs/aio.c:2052
	__do_sys_io_submit fs/aio.c:2111 [inline]
	__se_sys_io_submit+0x171/0x2e0 fs/aio.c:2081
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f
	RIP: 0033:0x7f238798cde9

	index 18446744073709550692 (decimal, unsigned long long)
	= 0xfffffffffffffc64 (hexadecimal, unsigned long long)
	= -924 (decimal, long long)

	In f2fs_truncate_inode_blocks(), UBSAN detects that get_nid() tries to
	access .i_nid[-924], it means both offset[0] and level should zero.

	The possible case should be in f2fs_do_truncate_blocks(), we try to
	truncate inode size to zero, however, dn.ofs_in_node is zero and
	dn.node_page is not an inode page, so it fails to truncate inode page,
	and then pass zeroed free_from to f2fs_truncate_inode_blocks(), result
	in this issue.

	if (dn.ofs_in_node \|\| IS_INODE(dn.node_page)) {
	f2fs_truncate_data_blocks_range(&dn, count);
	free_from += count;
	}

	I guess the reason why dn.node_page is not an inode page could be: there
	are multiple nat entries share the same node block address, once the node
	block address was reused, f2fs_get_node_page() may load a non-inode block.

	Let's add a sanity check for such condition to avoid out-of-bounds access
	issue.

	The Linux kernel CVE team has assigned CVE-2025-37739 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.10.237 with commit a67e1bf03c609a751d1740a1789af25e599966fa
	Fixed in 5.15.181 with commit 67e16ccba74dd8de0a7b10062f1e02d77432f573
	Fixed in 6.1.135 with commit 98dbf2af63de0b551082c9bc48333910e009b09f
	Fixed in 6.6.88 with commit 8b5e5aac44fee122947a269f9034c048e4c295de
	Fixed in 6.12.24 with commit ecc461331604b07cdbdb7360dbdf78471653264c
	Fixed in 6.13.12 with commit d7242fd7946d4cba0411effb6b5048ca55125747
	Fixed in 6.14.3 with commit 6ba8b41d0aa4b82f90f0c416cb53fcef9696525d
	Fixed in 6.15 with commit e6494977bd4a83862118a05f57a8df40256951c0

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37739
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/f2fs/node.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/a67e1bf03c609a751d1740a1789af25e599966fa
	https://git.kernel.org/stable/c/67e16ccba74dd8de0a7b10062f1e02d77432f573
	https://git.kernel.org/stable/c/98dbf2af63de0b551082c9bc48333910e009b09f
	https://git.kernel.org/stable/c/8b5e5aac44fee122947a269f9034c048e4c295de
	https://git.kernel.org/stable/c/ecc461331604b07cdbdb7360dbdf78471653264c
	https://git.kernel.org/stable/c/d7242fd7946d4cba0411effb6b5048ca55125747
	https://git.kernel.org/stable/c/6ba8b41d0aa4b82f90f0c416cb53fcef9696525d
	https://git.kernel.org/stable/c/e6494977bd4a83862118a05f57a8df40256951c0