CVE-2025-38415

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38415
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38415.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-38415
Downstream
Related
Published
2025-07-25T14:15:33Z
Modified
2025-08-12T21:01:18Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

Squashfs: check return result of sbminblocksize

Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfsbioread" bug.

Syzkaller forks multiple processes which after mounting the Squashfs filesystem, issues an ioctl("/dev/loop0", LOOPSETBLOCKSIZE, 0x8000). Now if this ioctl occurs at the same time another process is in the process of mounting a Squashfs filesystem on /dev/loop0, the failure occurs. When this happens the following code in squashfsfill_super() fails.


msblk->devblksize = sbminblocksize(sb, SQUASHFSDEVBLKSIZE);

msblk->devblksize_log2 = ffz(~msblk->devblksize);

sbminblocksize() returns 0, which means msblk->devblksize is set to 0.

As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2 is set to 64.

This subsequently causes the

UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36 shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long')

This commit adds a check for a 0 return by sbminblocksize().

References

Affected packages