CVE-2025-37739
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-37739
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-37739.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-37739
- Related
- Published
- 2025-05-01T13:15:52Z
- Modified
- 2025-05-05T17:54:34.517939Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid out-of-bounds access in f2fstruncateinode_blocks()
syzbot reports an UBSAN issue as below:
------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10 index 18446744073709550692 is out of range for type '_le32[5]' (aka 'unsigned int[5]') CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 ubsanepilogue lib/ubsan.c:231 [inline] _ubsanhandleoutofbounds+0x121/0x150 lib/ubsan.c:429 getnid fs/f2fs/node.h:381 [inline] f2fstruncateinodeblocks+0xa5e/0xf60 fs/f2fs/node.c:1181 f2fsdotruncateblocks+0x782/0x1030 fs/f2fs/file.c:808 f2fstruncateblocks+0x10d/0x300 fs/f2fs/file.c:836 f2fstruncate+0x417/0x720 fs/f2fs/file.c:886 f2fsfilewriteiter+0x1bdb/0x2550 fs/f2fs/file.c:5093 aiowrite+0x56b/0x7c0 fs/aio.c:1633 iosubmitone+0x8a7/0x18a0 fs/aio.c:2052 _dosysiosubmit fs/aio.c:2111 [inline] _sesysiosubmit+0x171/0x2e0 fs/aio.c:2081 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64after_hwframe+0x77/0x7f RIP: 0033:0x7f238798cde9
index 18446744073709550692 (decimal, unsigned long long) = 0xfffffffffffffc64 (hexadecimal, unsigned long long) = -924 (decimal, long long)
In f2fstruncateinodeblocks(), UBSAN detects that getnid() tries to access .i_nid[-924], it means both offset[0] and level should zero.
The possible case should be in f2fsdotruncateblocks(), we try to truncate inode size to zero, however, dn.ofsinnode is zero and dn.nodepage is not an inode page, so it fails to truncate inode page, and then pass zeroed freefrom to f2fstruncateinodeblocks(), result in this issue.
if (dn.ofs_in_node || IS_INODE(dn.node_page)) { f2fs_truncate_data_blocks_range(&dn, count); free_from += count; }I guess the reason why dn.nodepage is not an inode page could be: there are multiple nat entries share the same node block address, once the node block address was reused, f2fsgetnodepage() may load a non-inode block.
Let's add a sanity check for such condition to avoid out-of-bounds access issue.
- References
-
- https://git.kernel.org/stable/c/67e16ccba74dd8de0a7b10062f1e02d77432f573
- https://git.kernel.org/stable/c/6ba8b41d0aa4b82f90f0c416cb53fcef9696525d
- https://git.kernel.org/stable/c/8b5e5aac44fee122947a269f9034c048e4c295de
- https://git.kernel.org/stable/c/98dbf2af63de0b551082c9bc48333910e009b09f
- https://git.kernel.org/stable/c/a67e1bf03c609a751d1740a1789af25e599966fa
- https://git.kernel.org/stable/c/d7242fd7946d4cba0411effb6b5048ca55125747
- https://git.kernel.org/stable/c/e6494977bd4a83862118a05f57a8df40256951c0
- https://git.kernel.org/stable/c/ecc461331604b07cdbdb7360dbdf78471653264c
- https://security-tracker.debian.org/tracker/CVE-2025-37739
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
5.*
6.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.135-1
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.12.25-1