We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-37780

isofs: Prevent the use of too small fid



Description

In the Linux kernel, the following vulnerability has been resolved: isofs: Prevent the use of too small fid syzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1] The handle_bytes value passed in by the reproducing program is equal to 12. In handle_to_path(), only 12 bytes of memory are allocated for the structure file_handle->f_handle member, which causes an out-of-bounds access when accessing the member parent_block of the structure isofs_fid in isofs, because accessing parent_block requires at least 16 bytes of f_handle. Here, fh_len is used to indirectly confirm that the value of handle_bytes is greater than 3 before accessing parent_block. [1] BUG: KASAN: slab-out-of-bounds in isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183 Read of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466 CPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0x198/0x550 mm/kasan/report.c:521 kasan_report+0xd8/0x138 mm/kasan/report.c:634 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380 isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183 exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523 do_handle_to_path+0xa0/0x198 fs/fhandle.c:257 handle_to_path fs/fhandle.c:385 [inline] do_handle_open+0x8cc/0xb8c fs/fhandle.c:403 __do_sys_open_by_handle_at fs/fhandle.c:443 [inline] __se_sys_open_by_handle_at fs/fhandle.c:434 [inline] __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 6466: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4294 [inline] __kmalloc_noprof+0x32c/0x54c mm/slub.c:4306 kmalloc_noprof include/linux/slab.h:905 [inline] handle_to_path fs/fhandle.c:357 [inline] do_handle_open+0x5a4/0xb8c fs/fhandle.c:403 __do_sys_open_by_handle_at fs/fhandle.c:443 [inline] __se_sys_open_by_handle_at fs/fhandle.c:434 [inline] __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Reserved 2025-04-16 | Published 2025-05-01 | Updated 2025-05-26 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before ee01a309ebf598be1ff8174901ed6e91619f1749
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 5e7de55602c61c8ff28db075cc49c8dd6989d7e0
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 63d5a3e207bf315a32c7d16de6c89753a759f95a
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 0fdafdaef796816a9ed0fd7ac812932d569d9beb
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 952e7a7e317f126d0a2b879fc531b716932d5ffa
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 56dfffea9fd3be0b3795a9ca6401e133a8427e0b
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 007124c896e7d4614ac1f6bd4dedb975c35a2a8e
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 0405d4b63d082861f4eaff9d39c78ee9dc34f845
affected

Default status
affected

2.6.12
affected

Any version before 2.6.12
unaffected

5.4.293
unaffected

5.10.237
unaffected

5.15.181
unaffected

6.1.135
unaffected

6.6.88
unaffected

6.12.25
unaffected

6.14.4
unaffected

6.15
unaffected

References

git.kernel.org/...c/ee01a309ebf598be1ff8174901ed6e91619f1749

git.kernel.org/...c/5e7de55602c61c8ff28db075cc49c8dd6989d7e0

git.kernel.org/...c/63d5a3e207bf315a32c7d16de6c89753a759f95a

git.kernel.org/...c/0fdafdaef796816a9ed0fd7ac812932d569d9beb

git.kernel.org/...c/952e7a7e317f126d0a2b879fc531b716932d5ffa

git.kernel.org/...c/56dfffea9fd3be0b3795a9ca6401e133a8427e0b

git.kernel.org/...c/007124c896e7d4614ac1f6bd4dedb975c35a2a8e

git.kernel.org/...c/0405d4b63d082861f4eaff9d39c78ee9dc34f845

cve.org (CVE-2025-37780)

nvd.nist.gov (CVE-2025-37780)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-37780

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.