CVE-2025-38222
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38222
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38222.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-38222
- Published
- 2025-07-04T14:15:30Z
- Modified
- 2025-07-04T18:51:43.696409Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ext4: inline: fix len overflow in ext4prepareinline_data
When running the following code on an ext4 filesystem with inline_data feature enabled, it will lead to the bug below.
fd = open("file1", O_RDWR | O_CREAT | O_TRUNC, 0666); ftruncate(fd, 30); pwrite(fd, "a", 1, (1UL << 40) + 5UL);That happens because writebegin will succeed as when ext4genericwriteinlinedata calls ext4prepareinlinedata, pos + len will be truncated, leading to ext4prepareinline_data parameter to be 6 instead of 0x10000000006.
Then, later when write_end is called, we hit:
BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);at ext4writeinline_data.
Fix it by using a lofft type for the len parameter in ext4prepareinlinedata instead of an unsigned int.
[ 44.545164] ------------[ cut here ]------------ [ 44.545530] kernel BUG at fs/ext4/inline.c:240! [ 44.545834] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 44.546172] CPU: 3 UID: 0 PID: 343 Comm: test Not tainted 6.15.0-rc2-00003-g9080916f4863 #45 PREEMPT(full) 112853fcebfdb93254270a7959841d2c6aa2c8bb [ 44.546523] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 44.546523] RIP: 0010:ext4writeinlinedata+0xfe/0x100 [ 44.546523] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49 [ 44.546523] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216 [ 44.546523] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006 [ 44.546523] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738 [ 44.546523] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 [ 44.546523] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000 [ 44.546523] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738 [ 44.546523] FS: 00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000 [ 44.546523] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 44.546523] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0 [ 44.546523] PKRU: 55555554 [ 44.546523] Call Trace: [ 44.546523] <TASK> [ 44.546523] ext4writeinlinedataend+0x126/0x2d0 [ 44.546523] genericperformwrite+0x17e/0x270 [ 44.546523] ext4bufferedwriteiter+0xc8/0x170 [ 44.546523] vfswrite+0x2be/0x3e0 [ 44.546523] x64syspwrite64+0x6d/0xc0 [ 44.546523] dosyscall64+0x6a/0xf0 [ 44.546523] ? _wakeup+0x89/0xb0 [ 44.546523] ? xasfind+0x72/0x1c0 [ 44.546523] ? nextuptodatefolio+0x317/0x330 [ 44.546523] ? setpterange+0x1a6/0x270 [ 44.546523] ? filemapmappages+0x6ee/0x840 [ 44.546523] ? ext4setattr+0x2fa/0x750 [ 44.546523] ? doptemissing+0x128/0xf70 [ 44.546523] ? securityinodepostsetattr+0x3e/0xd0 [ 44.546523] ? pteoffsetmap+0x19/0x100 [ 44.546523] ? handlemmfault+0x721/0xa10 [ 44.546523] ? douseraddrfault+0x197/0x730 [ 44.546523] ? dosyscall64+0x76/0xf0 [ 44.546523] ? archexittousermodeprepare+0x1e/0x60 [ 44.546523] ? irqentryexittousermode+0x79/0x90 [ 44.546523] entrySYSCALL64afterhwframe+0x55/0x5d [ 44.546523] RIP: 0033:0x7f42999c6687 [ 44.546523] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff [ 44.546523] RSP: 002b:00007ffeae4a7930 EFLAGS: 00000202 ORIGRAX: 0000000000000012 [ 44.546523] RAX: ffffffffffffffda RBX: 00007f4299934740 RCX: 00007f42999c6687 [ 44.546523] RDX: 0000000000000001 RSI: 000055ea6149200f RDI: 0000000000000003 [ 44.546523] RBP: 00007ffeae4a79a0 R08: 0000000000000000 R09: 0000000000000000 [ 44.546523] R10: 0000010000000005 R11: 0000000000000202 R12: 0000 ---truncated---
- References
-
- https://git.kernel.org/stable/c/227cb4ca5a6502164f850d22aec3104d7888b270
- https://git.kernel.org/stable/c/26e09d18599da0adc543eabd300080daaeda6869
- https://git.kernel.org/stable/c/5766da2237e539f259aa0e5f3639ae37b44ca458
- https://git.kernel.org/stable/c/717414a8c083c376d4a8940a1230fe0c6ed4ee00
- https://git.kernel.org/stable/c/9d1d1c5bf4fc1af76be154d3afb2acdbd89ec7d8
- https://git.kernel.org/stable/c/cf5f319a2d8ab8238f8cf3a19463b9bff6420934
- https://git.kernel.org/stable/c/d3dfc60efd145df5324b99a244b0b05505cde29b
- https://git.kernel.org/stable/c/e80ee0263d88d77f2fd1927f915003a7066cbb50
- https://security-tracker.debian.org/tracker/CVE-2025-38222
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
5.*
6.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected