CVE-2025-39735

In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds read in ea_get() During the "size_check" label in ea_get(), the code checks if the extended attribute list (xattr) size matches ea_size. If not, it logs "ea_get: invalid extended attribute" and calls print_hex_dump(). Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds INT_MAX (2,147,483,647). Then ea_size is clamped: int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper limit is treated as an int, causing an overflow above 2^31 - 1. This leads "size" to wrap around and become negative (-184549328). The "size" is then passed to print_hex_dump() (called "len" in print_hex_dump()), it is passed as type size_t (an unsigned type), this is then stored inside a variable called "int remaining", which is then assigned to "int linelen" which is then passed to hex_dump_to_buffer(). In print_hex_dump() the for loop, iterates through 0 to len-1, where len is 18446744073525002176, calling hex_dump_to_buffer() on each iteration: for (i = 0; i < len; i += rowsize) { linelen = min(remaining, rowsize); remaining -= rowsize; hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, linebuf, sizeof(linebuf), ascii); ... } The expected stopping condition (i < len) is effectively broken since len is corrupted and very large. This eventually leads to the "ptr+i" being passed to hex_dump_to_buffer() to get closer to the end of the actual bounds of "ptr", eventually an out of bounds access is done in hex_dump_to_buffer() in the following for loop: for (j = 0; j < len; j++) { if (linebuflen < lx + 2) goto overflow2; ch = ptr[j]; ... } To fix this we should validate "EALIST_SIZE(ea_buf->xattr)" before it is utilised.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

28 Apr 2025, 14:37

Type Values Removed Values Added
CWE CWE-125
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
First Time Linux
Linux linux Kernel
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: jfs: corrección de lectura fuera de los límites de slab en ea_get(). Durante la etiqueta "size_check" en ea_get(), el código comprueba si el tamaño de la lista de atributos extendidos (xattr) coincide con ea_size. De lo contrario, registra "ea_get: atributo extendido no válido" y llama a print_hex_dump(). En este caso, EALIST_SIZE(ea_buf-&gt;xattr) devuelve 4110417968, que excede INT_MAX (2147483647). A continuación, se fija ea_size: int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf-&gt;xattr)); Aunque clamp_t busca limitar ea_size entre 0 y 4110417968, el límite superior se trata como un entero, lo que provoca un desbordamiento por encima de 2^31 - 1. Esto hace que "size" se repita y se vuelva negativo (-184549328). El "size" se pasa a print_hex_dump() (llamado "len" en print_hex_dump()) como tipo size_t (un tipo sin signo). Este se almacena en una variable llamada "int remaining", que se asigna a "int linelen", que a su vez se pasa a hex_dump_to_buffer(). En print_hex_dump(), el bucle for itera desde 0 hasta len-1, donde len es 18446744073525002176 y llama a hex_dump_to_buffer() en cada iteración: for (i = 0; i &lt; len; i += rowsize) { linelen = min(remaining, rowsize); remaining -= rowsize; hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, linebuf, sizeof(linebuf), ascii); ... } La condición de detención esperada (i &lt; len) se rompe efectivamente ya que len está dañado y es muy grande. Esto eventualmente lleva a que "ptr+i" se pase a hex_dump_to_buffer() para acercarse al final de los límites reales de "ptr", eventualmente se realiza un acceso fuera de los límites en hex_dump_to_buffer() en el siguiente bucle for: for (j = 0; j &lt; len; j++) { if (linebuflen &lt; lx + 2) goto overflow2; ch = ptr[j]; ... } Para solucionar esto debemos validar "EALIST_SIZE(ea_buf-&gt;xattr)" antes de utilizarlo.
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.1
References () https://git.kernel.org/stable/c/0beddc2a3f9b9cf7d8887973041e36c2d0fa3652 - () https://git.kernel.org/stable/c/0beddc2a3f9b9cf7d8887973041e36c2d0fa3652 - Patch
References () https://git.kernel.org/stable/c/16d3d36436492aa248b2d8045e75585ebcc2f34d - () https://git.kernel.org/stable/c/16d3d36436492aa248b2d8045e75585ebcc2f34d - Patch
References () https://git.kernel.org/stable/c/3d6fd5b9c6acbc005e53d0211c7381f566babec1 - () https://git.kernel.org/stable/c/3d6fd5b9c6acbc005e53d0211c7381f566babec1 - Patch
References () https://git.kernel.org/stable/c/46e2c031aa59ea65128991cbca474bd5c0c2ecdb - () https://git.kernel.org/stable/c/46e2c031aa59ea65128991cbca474bd5c0c2ecdb - Patch
References () https://git.kernel.org/stable/c/50afcee7011155933d8d5e8832f52eeee018cfd3 - () https://git.kernel.org/stable/c/50afcee7011155933d8d5e8832f52eeee018cfd3 - Patch
References () https://git.kernel.org/stable/c/5263822558a8a7c0d0248d5679c2dcf4d5cda61f - () https://git.kernel.org/stable/c/5263822558a8a7c0d0248d5679c2dcf4d5cda61f - Patch
References () https://git.kernel.org/stable/c/78c9cbde8880ec02d864c166bcb4fe989ce1d95f - () https://git.kernel.org/stable/c/78c9cbde8880ec02d864c166bcb4fe989ce1d95f - Patch
References () https://git.kernel.org/stable/c/a8c31808925b11393a6601f534bb63bac5366bab - () https://git.kernel.org/stable/c/a8c31808925b11393a6601f534bb63bac5366bab - Patch
References () https://git.kernel.org/stable/c/fdf480da5837c23b146c4743c18de97202fcab37 - () https://git.kernel.org/stable/c/fdf480da5837c23b146c4743c18de97202fcab37 - Patch

18 Apr 2025, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-04-18 07:15

Updated : 2025-10-01 17:15


NVD link : CVE-2025-39735

Mitre link : CVE-2025-39735

CVE.ORG link : CVE-2025-39735


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-125

Out-of-bounds Read