Home

Description

In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() The hfsplus_readdir() method is capable to crash by calling hfsplus_uni2asc(): [ 667.121659][ T9805] ================================================================== [ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10 [ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805 [ 667.124578][ T9805] [ 667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full) [ 667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 667.124890][ T9805] Call Trace: [ 667.124893][ T9805] <TASK> [ 667.124896][ T9805] dump_stack_lvl+0x10e/0x1f0 [ 667.124911][ T9805] print_report+0xd0/0x660 [ 667.124920][ T9805] ? __virt_addr_valid+0x81/0x610 [ 667.124928][ T9805] ? __phys_addr+0xe8/0x180 [ 667.124934][ T9805] ? hfsplus_uni2asc+0x902/0xa10 [ 667.124942][ T9805] kasan_report+0xc6/0x100 [ 667.124950][ T9805] ? hfsplus_uni2asc+0x902/0xa10 [ 667.124959][ T9805] hfsplus_uni2asc+0x902/0xa10 [ 667.124966][ T9805] ? hfsplus_bnode_read+0x14b/0x360 [ 667.124974][ T9805] hfsplus_readdir+0x845/0xfc0 [ 667.124984][ T9805] ? __pfx_hfsplus_readdir+0x10/0x10 [ 667.124994][ T9805] ? stack_trace_save+0x8e/0xc0 [ 667.125008][ T9805] ? iterate_dir+0x18b/0xb20 [ 667.125015][ T9805] ? trace_lock_acquire+0x85/0xd0 [ 667.125022][ T9805] ? lock_acquire+0x30/0x80 [ 667.125029][ T9805] ? iterate_dir+0x18b/0xb20 [ 667.125037][ T9805] ? down_read_killable+0x1ed/0x4c0 [ 667.125044][ T9805] ? putname+0x154/0x1a0 [ 667.125051][ T9805] ? __pfx_down_read_killable+0x10/0x10 [ 667.125058][ T9805] ? apparmor_file_permission+0x239/0x3e0 [ 667.125069][ T9805] iterate_dir+0x296/0xb20 [ 667.125076][ T9805] __x64_sys_getdents64+0x13c/0x2c0 [ 667.125084][ T9805] ? __pfx___x64_sys_getdents64+0x10/0x10 [ 667.125091][ T9805] ? __x64_sys_openat+0x141/0x200 [ 667.125126][ T9805] ? __pfx_filldir64+0x10/0x10 [ 667.125134][ T9805] ? do_user_addr_fault+0x7fe/0x12f0 [ 667.125143][ T9805] do_syscall_64+0xc9/0x480 [ 667.125151][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9 [ 667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 [ 667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9 [ 667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9 [ 667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004 [ 667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110 [ 667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260 [ 667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 667.125207][ T9805] </TASK> [ 667.125210][ T9805] [ 667.145632][ T9805] Allocated by task 9805: [ 667.145991][ T9805] kasan_save_stack+0x20/0x40 [ 667.146352][ T9805] kasan_save_track+0x14/0x30 [ 667.146717][ T9805] __kasan_kmalloc+0xaa/0xb0 [ 667.147065][ T9805] __kmalloc_noprof+0x205/0x550 [ 667.147448][ T9805] hfsplus_find_init+0x95/0x1f0 [ 667.147813][ T9805] hfsplus_readdir+0x220/0xfc0 [ 667.148174][ T9805] iterate_dir+0x296/0xb20 [ 667.148549][ T9805] __x64_sys_getdents64+0x13c/0x2c0 [ 667.148937][ T9805] do_syscall_64+0xc9/0x480 [ 667.149291][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 667.149809][ T9805] [ 667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000 [ 667.150030][ T9805] which belongs to the cache kmalloc-2k of size 2048 [ 667.151282][ T9805] The buggy address is located 0 bytes to the right of [ 667.151282][ T9805] allocated 1036-byte region [ffff88802592f000, ffff88802592f40c) [ 667.1 ---truncated---

PUBLISHED Reserved 2025-04-16 | Published 2025-09-04 | Updated 2025-09-29 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 73f7da507d787b489761a0fa280716f84fa32b2f
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 76a4c6636a69d69409aa253b049b1be717a539c5
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before ccf0ad56a779e6704c0b27f555dec847f50c7557
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 13604b1d7e7b125fb428cddbec6b8d92baad25d5
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 291bb5d931c6f3cd7227b913302a17be21cf53b0
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before f7534cbfac0a9ffa4fa17cacc6e8b6446dae24ee
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 6f93694bcbc2c2ab3e01cd8fba2f296faf34e6b9
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 1ca69007e52a73bd8b84b988b61b319816ca8b01
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 94458781aee6045bd3d0ad4b80b02886b9e2219b
affected

Default status
affected

5.4.297 (semver)
unaffected

5.10.241 (semver)
unaffected

5.15.190 (semver)
unaffected

6.1.149 (semver)
unaffected

6.6.103 (semver)
unaffected

6.12.43 (semver)
unaffected

6.15.11 (semver)
unaffected

6.16.2 (semver)
unaffected

6.17 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/73f7da507d787b489761a0fa280716f84fa32b2f

git.kernel.org/...c/76a4c6636a69d69409aa253b049b1be717a539c5

git.kernel.org/...c/ccf0ad56a779e6704c0b27f555dec847f50c7557

git.kernel.org/...c/13604b1d7e7b125fb428cddbec6b8d92baad25d5

git.kernel.org/...c/291bb5d931c6f3cd7227b913302a17be21cf53b0

git.kernel.org/...c/f7534cbfac0a9ffa4fa17cacc6e8b6446dae24ee

git.kernel.org/...c/6f93694bcbc2c2ab3e01cd8fba2f296faf34e6b9

git.kernel.org/...c/1ca69007e52a73bd8b84b988b61b319816ca8b01

git.kernel.org/...c/94458781aee6045bd3d0ad4b80b02886b9e2219b

cve.org (CVE-2025-38713)

nvd.nist.gov (CVE-2025-38713)

Download JSON