| From bippy-1.2.0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@kernel.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2025-39735: jfs: fix slab-out-of-bounds read in ea_get() |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| jfs: fix slab-out-of-bounds read in ea_get() |
| |
| During the "size_check" label in ea_get(), the code checks if the extended |
| attribute list (xattr) size matches ea_size. If not, it logs |
| "ea_get: invalid extended attribute" and calls print_hex_dump(). |
| |
| Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds |
| INT_MAX (2,147,483,647). Then ea_size is clamped: |
| |
| int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); |
| |
| Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper |
| limit is treated as an int, causing an overflow above 2^31 - 1. This leads |
| "size" to wrap around and become negative (-184549328). |
| |
| The "size" is then passed to print_hex_dump() (called "len" in |
| print_hex_dump()), it is passed as type size_t (an unsigned |
| type), this is then stored inside a variable called |
| "int remaining", which is then assigned to "int linelen" which |
| is then passed to hex_dump_to_buffer(). In print_hex_dump() |
| the for loop, iterates through 0 to len-1, where len is |
| 18446744073525002176, calling hex_dump_to_buffer() |
| on each iteration: |
| |
| for (i = 0; i < len; i += rowsize) { |
| linelen = min(remaining, rowsize); |
| remaining -= rowsize; |
| |
| hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, |
| linebuf, sizeof(linebuf), ascii); |
| |
| ... |
| } |
| |
| The expected stopping condition (i < len) is effectively broken |
| since len is corrupted and very large. This eventually leads to |
| the "ptr+i" being passed to hex_dump_to_buffer() to get closer |
| to the end of the actual bounds of "ptr", eventually an out of |
| bounds access is done in hex_dump_to_buffer() in the following |
| for loop: |
| |
| for (j = 0; j < len; j++) { |
| if (linebuflen < lx + 2) |
| goto overflow2; |
| ch = ptr[j]; |
| ... |
| } |
| |
| To fix this we should validate "EALIST_SIZE(ea_buf->xattr)" |
| before it is utilised. |
| |
| The Linux kernel CVE team has assigned CVE-2025-39735 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.4.287 with commit 6e39b681d1eb16f408493bf5023788b57f68998c and fixed in 5.4.292 with commit 3d6fd5b9c6acbc005e53d0211c7381f566babec1 |
| Issue introduced in 5.10.231 with commit bbf3f1fd8a0ac7df1db36a9b9e923041a14369f2 and fixed in 5.10.236 with commit 50afcee7011155933d8d5e8832f52eeee018cfd3 |
| Issue introduced in 5.15.174 with commit 27a93c45e16ac25a0e2b5e5668e2d1beca56a478 and fixed in 5.15.180 with commit 78c9cbde8880ec02d864c166bcb4fe989ce1d95f |
| Issue introduced in 6.1.120 with commit 9c356fc32a4480a2c0e537a05f2a8617633ddad0 and fixed in 6.1.134 with commit 46e2c031aa59ea65128991cbca474bd5c0c2ecdb |
| Issue introduced in 6.6.64 with commit 9353cdf28d4c5c0ff19c5df7fbf81ea774de43a4 and fixed in 6.6.87 with commit a8c31808925b11393a6601f534bb63bac5366bab |
| Issue introduced in 6.12.2 with commit 8c505ebeed8045b488b2e60b516c752b851f8437 and fixed in 6.12.23 with commit 0beddc2a3f9b9cf7d8887973041e36c2d0fa3652 |
| Issue introduced in 6.13 with commit d9f9d96136cba8fedd647d2c024342ce090133c2 and fixed in 6.13.11 with commit 16d3d36436492aa248b2d8045e75585ebcc2f34d |
| Issue introduced in 6.13 with commit d9f9d96136cba8fedd647d2c024342ce090133c2 and fixed in 6.14.2 with commit 5263822558a8a7c0d0248d5679c2dcf4d5cda61f |
| Issue introduced in 6.13 with commit d9f9d96136cba8fedd647d2c024342ce090133c2 and fixed in 6.15 with commit fdf480da5837c23b146c4743c18de97202fcab37 |
| Issue introduced in 4.19.325 with commit 4ea25fa8747fb8b1e5a11d87b852023ecf7ae420 |
| Issue introduced in 6.11.11 with commit 676a787048aafd4d1b38a522b05a9cc77e1b0a33 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2025-39735 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| fs/jfs/xattr.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/3d6fd5b9c6acbc005e53d0211c7381f566babec1 |
| https://git.kernel.org/stable/c/50afcee7011155933d8d5e8832f52eeee018cfd3 |
| https://git.kernel.org/stable/c/78c9cbde8880ec02d864c166bcb4fe989ce1d95f |
| https://git.kernel.org/stable/c/46e2c031aa59ea65128991cbca474bd5c0c2ecdb |
| https://git.kernel.org/stable/c/a8c31808925b11393a6601f534bb63bac5366bab |
| https://git.kernel.org/stable/c/0beddc2a3f9b9cf7d8887973041e36c2d0fa3652 |
| https://git.kernel.org/stable/c/16d3d36436492aa248b2d8045e75585ebcc2f34d |
| https://git.kernel.org/stable/c/5263822558a8a7c0d0248d5679c2dcf4d5cda61f |
| https://git.kernel.org/stable/c/fdf480da5837c23b146c4743c18de97202fcab37 |
