CVE-2025-39735

During the "sizecheck" label in eaget(), the code checks if the extended attribute list (xattr) size matches easize. If not, it logs "eaget: invalid extended attribute" and calls printhexdump().

Here, EALISTSIZE(eabuf->xattr) returns 4110417968, which exceeds INTMAX (2,147,483,647). Then easize is clamped:

int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));

Although clampt aims to bound easize between 0 and 4110417968, the upper limit is treated as an int, causing an overflow above 2^31 - 1. This leads "size" to wrap around and become negative (-184549328).

The "size" is then passed to printhexdump() (called "len" in printhexdump()), it is passed as type sizet (an unsigned type), this is then stored inside a variable called "int remaining", which is then assigned to "int linelen" which is then passed to hexdumptobuffer(). In printhexdump() the for loop, iterates through 0 to len-1, where len is 18446744073525002176, calling hexdumpto_buffer() on each iteration:

for (i = 0; i < len; i += rowsize) {
    linelen = min(remaining, rowsize);
    remaining -= rowsize;

    hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,
               linebuf, sizeof(linebuf), ascii);

    ...
}

The expected stopping condition (i < len) is effectively broken since len is corrupted and very large. This eventually leads to the "ptr+i" being passed to hexdumptobuffer() to get closer to the end of the actual bounds of "ptr", eventually an out of bounds access is done in hexdumptobuffer() in the following for loop:

for (j = 0; j < len; j++) {
        if (linebuflen < lx + 2)
            goto overflow2;
        ch = ptr[j];
    ...
}

To fix this we should validate "EALISTSIZE(eabuf->xattr)" before it is utilised.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

6e39b681d1eb16f408493bf5023788b57f68998c

Fixed

3d6fd5b9c6acbc005e53d0211c7381f566babec1

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

bbf3f1fd8a0ac7df1db36a9b9e923041a14369f2

Fixed

50afcee7011155933d8d5e8832f52eeee018cfd3

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

27a93c45e16ac25a0e2b5e5668e2d1beca56a478

Fixed

78c9cbde8880ec02d864c166bcb4fe989ce1d95f

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9c356fc32a4480a2c0e537a05f2a8617633ddad0

Fixed

46e2c031aa59ea65128991cbca474bd5c0c2ecdb

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9353cdf28d4c5c0ff19c5df7fbf81ea774de43a4

Fixed

a8c31808925b11393a6601f534bb63bac5366bab

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8c505ebeed8045b488b2e60b516c752b851f8437

Fixed

0beddc2a3f9b9cf7d8887973041e36c2d0fa3652

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

d9f9d96136cba8fedd647d2c024342ce090133c2

Fixed

16d3d36436492aa248b2d8045e75585ebcc2f34d

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

d9f9d96136cba8fedd647d2c024342ce090133c2

Fixed

5263822558a8a7c0d0248d5679c2dcf4d5cda61f

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

d9f9d96136cba8fedd647d2c024342ce090133c2

Fixed

fdf480da5837c23b146c4743c18de97202fcab37

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

4ea25fa8747fb8b1e5a11d87b852023ecf7ae420

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

676a787048aafd4d1b38a522b05a9cc77e1b0a33

Affected versions

v4.*

v4.19.325

v5.*

v5.10.1

v5.10.10

v5.10.11

v5.10.12

v5.10.13

v5.10.14

v5.10.15

v5.10.16

v5.10.17

v5.10.18

v5.10.19

v5.10.2

v5.10.231

v5.10.232

v5.10.233

v5.10.234

v5.10.235

v5.10.3

v5.10.4

v5.10.5

v5.10.6

v5.10.7

v5.10.8

v5.10.9

v5.11.1

v5.11.10

v5.11.11

v5.11.12

v5.11.13

v5.11.14

v5.11.15

v5.11.16

v5.11.17

v5.11.18

v5.11.19

v5.11.2

v5.11.20

v5.11.21

v5.11.3

v5.11.4

v5.11.5

v5.11.6

v5.11.7

v5.11.8

v5.11.9

v5.12.1

v5.12.10

v5.12.11

v5.12.12

v5.12.13

v5.12.14

v5.12.15

v5.12.16

v5.12.17

v5.12.18

v5.12.19

v5.12.2

v5.12.3

v5.12.4

v5.12.5

v5.12.6

v5.12.7

v5.12.8

v5.12.9

v5.13.1

v5.13.10

v5.13.11

v5.13.12

v5.13.13

v5.13.14

v5.13.15

v5.13.16

v5.13.17

v5.13.18

v5.13.2

v5.13.3

v5.13.4

v5.13.5

v5.13.6

v5.13.7

v5.13.8

v5.13.9

v5.14.1

v5.14.10

v5.14.11

v5.14.12

v5.14.13

v5.14.14

v5.14.15

v5.14.16

v5.14.17

v5.14.18

v5.14.19

v5.14.2

v5.14.20

v5.14.3

v5.14.4

v5.14.5

v5.14.6

v5.14.7

v5.14.8

v5.14.9

v5.15.1

v5.15.10

v5.15.11

v5.15.12

v5.15.13

v5.15.14

v5.15.15

v5.15.16

v5.15.17

v5.15.174

v5.15.175

v5.15.176

v5.15.177

v5.15.178

v5.15.179

v5.15.18

v5.15.19

v5.15.2

v5.15.3

v5.15.4

v5.15.5

v5.15.6

v5.15.7

v5.15.8

v5.15.9

v5.16.1

v5.16.10

v5.16.11

v5.16.12

v5.16.13

v5.16.14

v5.16.15

v5.16.16

v5.16.17

v5.16.18

v5.16.19

v5.16.2

v5.16.20

v5.16.3

v5.16.4

v5.16.5

v5.16.6

v5.16.7

v5.16.8

v5.16.9

v5.17.1

v5.17.10

v5.17.11

v5.17.12

v5.17.13

v5.17.14

v5.17.2

v5.17.3

v5.17.4

v5.17.5

v5.17.6

v5.17.7

v5.17.8

v5.17.9

v5.18.1

v5.18.10

v5.18.11

v5.18.12

v5.18.13

v5.18.14

v5.18.15

v5.18.16

v5.18.17

v5.18.18

v5.18.19

v5.18.2

v5.18.3

v5.18.4

v5.18.5

v5.18.6

v5.18.7

v5.18.8

v5.18.9

v5.19.1

v5.19.10

v5.19.11

v5.19.12

v5.19.13

v5.19.14

v5.19.15

v5.19.16

v5.19.2

v5.19.3

v5.19.4

v5.19.5

v5.19.6

v5.19.7

v5.19.8

v5.19.9

v5.4.287

v5.4.288

v5.4.289

v5.4.290

v5.4.291

v5.6.1

v5.6.10

v5.6.11

v5.6.12

v5.6.13

v5.6.14

v5.6.15

v5.6.16

v5.6.17

v5.6.18

v5.6.2

v5.6.3

v5.6.4

v5.6.5

v5.6.6

v5.6.7

v5.6.8

v5.6.9

v5.7.1

v5.7.10

v5.7.11

v5.7.12

v5.7.13

v5.7.14

v5.7.15

v5.7.16

v5.7.2

v5.7.3

v5.7.4

v5.7.5

v5.7.6

v5.7.7

v5.7.8

v5.7.9

v5.8.1

v5.8.10

v5.8.11

v5.8.12

v5.8.13

v5.8.14

v5.8.15

v5.8.16

v5.8.17

v5.8.18

v5.8.2

v5.8.3

v5.8.4

v5.8.5

v5.8.6

v5.8.7

v5.8.8

v5.8.9

v5.9.1

v5.9.10

v5.9.11

v5.9.12

v5.9.13

v5.9.14

v5.9.15

v5.9.16

v5.9.2

v5.9.3

v5.9.4

v5.9.5

v5.9.6

v5.9.7

v5.9.8

v5.9.9

v6.*

v6.0.1

v6.0.10

v6.0.11

v6.0.12

v6.0.13

v6.0.14

v6.0.15

v6.0.16

v6.0.17

v6.0.18

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.0.6

v6.0.7

v6.0.8

v6.0.9

v6.1.1

v6.1.10

v6.1.11

v6.1.12

v6.1.120

v6.1.121

v6.1.122

v6.1.123

v6.1.124

v6.1.125

v6.1.126

v6.1.127

v6.1.128

v6.1.129

v6.1.13

v6.1.130

v6.1.131

v6.1.132

v6.1.133

v6.1.14

v6.1.15

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.1.7

v6.1.8

v6.1.9

v6.10.1

v6.10.10

v6.10.11

v6.10.12

v6.10.13

v6.10.2

v6.10.3

v6.10.4

v6.10.5

v6.10.6

v6.10.7

v6.10.8

v6.10.9

v6.11.11

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.21

v6.12.22

v6.12.3

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.13.1

v6.13.10

v6.13.11

v6.13.12

v6.13.2

v6.13.3

v6.13.4

v6.13.5

v6.13.6

v6.13.7

v6.13.8

v6.13.9

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.14.1

v6.14.10

v6.14.11

v6.14.2

v6.14.3

v6.14.4

v6.14.5

v6.14.6

v6.14.7

v6.14.8

v6.14.9

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.15.1

v6.15.10

v6.15.11

v6.15.2

v6.15.3

v6.15.4

v6.15.5

v6.15.6

v6.15.7

v6.15.8

v6.15.9

v6.16

v6.16-rc1

v6.16-rc2

v6.16-rc3

v6.16-rc4

v6.16-rc5

v6.16-rc6

v6.16-rc7

v6.16.1

v6.16.10

v6.16.11

v6.16.12

v6.16.2

v6.16.3

v6.16.4

v6.16.5

v6.16.6

v6.16.7

v6.16.8

v6.16.9

v6.17

v6.17-rc1

v6.17-rc2

v6.17-rc3

v6.17-rc4

v6.17-rc5

v6.17-rc6

v6.17-rc7

v6.17.1

v6.17.2

v6.17.3

v6.2.1

v6.2.10

v6.2.11

v6.2.12

v6.2.13

v6.2.14

v6.2.15

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.2.6

v6.2.7

v6.2.8

v6.2.9

v6.3.1

v6.3.10

v6.3.11

v6.3.12

v6.3.2

v6.3.3

v6.3.4

v6.3.5

v6.3.6

v6.3.7

v6.3.8

v6.3.9

v6.4.1

v6.4.10

v6.4.11

v6.4.12

v6.4.13

v6.4.14

v6.4.15

v6.4.16

v6.4.2

v6.4.3

v6.4.4

v6.4.5

v6.4.6

v6.4.7

v6.4.8

v6.4.9

v6.5.1

v6.5.10

v6.5.11

v6.5.12

v6.5.13

v6.5.2

v6.5.3

v6.5.4

v6.5.5

v6.5.6

v6.5.7

v6.5.8

v6.5.9

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.2

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.64

v6.6.65

v6.6.66

v6.6.67

v6.6.68

v6.6.69

v6.6.7

v6.6.70

v6.6.71

v6.6.72

v6.6.73

v6.6.74

v6.6.75

v6.6.76

v6.6.77

v6.6.78

v6.6.79

v6.6.8

v6.6.80

v6.6.81

v6.6.82

v6.6.83

v6.6.84

v6.6.85

v6.6.86

v6.6.9

v6.7.1

v6.7.10

v6.7.11

v6.7.2

v6.7.3

v6.7.4

v6.7.5

v6.7.6

v6.7.7

v6.7.8

v6.7.9

v6.8.1

v6.8.10

v6.8.11

v6.8.2

v6.8.3

v6.8.4

v6.8.5

v6.8.6

v6.8.7

v6.8.8

v6.8.9

v6.9.1

v6.9.10

v6.9.11

v6.9.12

v6.9.2

v6.9.3

v6.9.4

v6.9.5

v6.9.6

v6.9.7

v6.9.8

v6.9.9

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.4.292

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.236

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.180

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.134

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.87

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.23

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.13.11

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.14.2