CVE-2025-22036

Description

In the Linux kernel, the following vulnerability has been resolved: exfat: fix random stack corruption after get_block When get_block is called with a buffer_head allocated on the stack, such as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in the following race condition situation. <CPU 0> <CPU 1> mpage_read_folio <<bh on stack>> do_mpage_readpage exfat_get_block bh_read __bh_read get_bh(bh) submit_bh wait_on_buffer ... end_buffer_read_sync __end_buffer_read_notouch unlock_buffer <<keep going>> ... ... ... ... <<bh is not valid out of mpage_read_folio>> . . another_function <<variable A on stack>> put_bh(bh) atomic_dec(bh->b_count) * stack corruption here * This patch returns -EAGAIN if a folio does not have buffers when bh_read needs to be called. By doing this, the caller can fallback to functions like block_read_full_folio(), create a buffer_head in the folio, and then call get_block again. Let's do not call bh_read() with on-stack buffer_head.

Reserved 2024-12-29 | Published 2025-04-16 | Updated 2025-05-26 | Assigner Linux

Product status

Default status
unaffected

11a347fb6cef62ce47e84b97c45f2b2497c7593b before 49b0a6ab8e528a0c1c50e37cef9b9c7c121365f2
affected

11a347fb6cef62ce47e84b97c45f2b2497c7593b before f7447286363dc1e410bf30b87d75168f3519f9cc
affected

11a347fb6cef62ce47e84b97c45f2b2497c7593b before f807a6bf2005740fa26b4f59c4a003dc966b9afd
affected

11a347fb6cef62ce47e84b97c45f2b2497c7593b before 1bb7ff4204b6d4927e982cd256286c09ed4fd8ca
affected

Default status
affected

6.8
affected

Any version before 6.8
unaffected

6.12.23
unaffected

6.13.11
unaffected

6.14.2
unaffected

6.15
unaffected

References

git.kernel.org/...c/49b0a6ab8e528a0c1c50e37cef9b9c7c121365f2

git.kernel.org/...c/f7447286363dc1e410bf30b87d75168f3519f9cc

git.kernel.org/...c/f807a6bf2005740fa26b4f59c4a003dc966b9afd

git.kernel.org/...c/1bb7ff4204b6d4927e982cd256286c09ed4fd8ca

cve.org (CVE-2025-22036)

nvd.nist.gov (CVE-2025-22036)

Download JSON