CVE-2025-40054
- Source
- https://cve.org/CVERecord?id=CVE-2025-40054
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40054.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-40054
- Downstream
- Published
- 2025-10-28T11:48:29.073Z
- Modified
- 2025-12-05T10:17:00.820168Z
- Summary
- f2fs: fix UAF issue in f2fs_merge_page_bio()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix UAF issue in f2fsmergepage_bio()
As JY reported in bugzilla [1],
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : [0xffffffe51d249484] f2fsiscpguaranteed+0x70/0x98 lr : [0xffffffe51d24adbc] f2fsmergepagebio+0x520/0x6d4 CPU: 3 UID: 0 PID: 6790 Comm: kworker/u16:3 Tainted: P B W OE 6.12.30-android16-5-maybe-dirty-4k #1 5f7701c9cbf727d1eebe77c89bbbeb3371e895e5 Tainted: [P]=PROPRIETARYMODULE, [B]=BADPAGE, [W]=WARN, [O]=OOTMODULE, [E]=UNSIGNEDMODULE Workqueue: writeback wbworkfn (flush-254:49) Call trace: f2fsiscpguaranteed+0x70/0x98 f2fsinplacewritedata+0x174/0x2f4 f2fsdowritedatapage+0x214/0x81c f2fswritesingledatapage+0x28c/0x764 f2fswritedatapages+0x78c/0xce4 dowritepages+0xe8/0x2fc _writebacksingleinode+0x4c/0x4b4 writebacksbinodes+0x314/0x540 _writebackinodeswb+0xa4/0xf4 wbwriteback+0x160/0x448 wbworkfn+0x2f0/0x5dc processscheduledworks+0x1c8/0x458 workerthread+0x334/0x3f0 kthread+0x118/0x1ac retfromfork+0x10/0x20
[1] https://bugzilla.kernel.org/show_bug.cgi?id=220575
The panic was caused by UAF issue w/ below race condition:
kworker - writepages - f2fswritecachepages - f2fswritesingledatapage - f2fsdowritedatapage - f2fsinplacewritedata - f2fsmergepagebio - addinupage : cache page #1 into bio & cache bio in io->biolist - f2fswritesingledatapage - f2fsdowritedatapage - f2fsinplacewritedata - f2fsmergepagebio - addinupage : cache page #2 into bio which is linked in io->biolist write - f2fswritebegin : write page #1 - f2fsfoliowaitwriteback - f2fssubmitmergedipuwrite - f2fssubmitwrite_bio : submit bio which inclues page #1 and #2
software IRQ - f2fs_write_end_io - fscrypt_free_bounce_page : freed bounced page which belongs to page #2 - inc_page_count( , WB_DATA_TYPE(data_folio), false) : data_folio points to fio->encrypted_page the bounced page can be freed before accessing it in f2fs_is_cp_guarantee()It can reproduce w/ below testcase: Run below script in shell #1: for ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file \ -c "pwrite 0 32k" -c "fdatasync"
Run below script in shell #2: for ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file \ -c "pwrite 0 32k" -c "fdatasync"
So, in f2fsmergepagebio(), let's avoid using fio->encryptedpage after commit page into internal ipu cache.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40054.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/01118321e0c8a5f3ece57d0d377bfc92d83cd210
- https://git.kernel.org/stable/c/edf7e9040fc52c922db947f9c6c36f07377c52ea
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40054.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-40054
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0b20fcec8651569935a10afe03fedc0b812d044eFixed01118321e0c8a5f3ece57d0d377bfc92d83cd210Fixededf7e9040fc52c922db947f9c6c36f07377c52ea