CVE-2025-39735

Description

In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds read in ea_get() During the "size_check" label in ea_get(), the code checks if the extended attribute list (xattr) size matches ea_size. If not, it logs "ea_get: invalid extended attribute" and calls print_hex_dump(). Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds INT_MAX (2,147,483,647). Then ea_size is clamped: int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper limit is treated as an int, causing an overflow above 2^31 - 1. This leads "size" to wrap around and become negative (-184549328). The "size" is then passed to print_hex_dump() (called "len" in print_hex_dump()), it is passed as type size_t (an unsigned type), this is then stored inside a variable called "int remaining", which is then assigned to "int linelen" which is then passed to hex_dump_to_buffer(). In print_hex_dump() the for loop, iterates through 0 to len-1, where len is 18446744073525002176, calling hex_dump_to_buffer() on each iteration: for (i = 0; i < len; i += rowsize) { linelen = min(remaining, rowsize); remaining -= rowsize; hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, linebuf, sizeof(linebuf), ascii); ... } The expected stopping condition (i < len) is effectively broken since len is corrupted and very large. This eventually leads to the "ptr+i" being passed to hex_dump_to_buffer() to get closer to the end of the actual bounds of "ptr", eventually an out of bounds access is done in hex_dump_to_buffer() in the following for loop: for (j = 0; j < len; j++) { if (linebuflen < lx + 2) goto overflow2; ch = ptr[j]; ... } To fix this we should validate "EALIST_SIZE(ea_buf->xattr)" before it is utilised.

Reserved 2025-04-16 | Published 2025-04-18 | Updated 2025-05-26 | Assigner Linux

Product status

Default status
unaffected

6e39b681d1eb16f408493bf5023788b57f68998c before 3d6fd5b9c6acbc005e53d0211c7381f566babec1
affected

bbf3f1fd8a0ac7df1db36a9b9e923041a14369f2 before 50afcee7011155933d8d5e8832f52eeee018cfd3
affected

27a93c45e16ac25a0e2b5e5668e2d1beca56a478 before 78c9cbde8880ec02d864c166bcb4fe989ce1d95f
affected

9c356fc32a4480a2c0e537a05f2a8617633ddad0 before 46e2c031aa59ea65128991cbca474bd5c0c2ecdb
affected

9353cdf28d4c5c0ff19c5df7fbf81ea774de43a4 before a8c31808925b11393a6601f534bb63bac5366bab
affected

8c505ebeed8045b488b2e60b516c752b851f8437 before 0beddc2a3f9b9cf7d8887973041e36c2d0fa3652
affected

d9f9d96136cba8fedd647d2c024342ce090133c2 before 16d3d36436492aa248b2d8045e75585ebcc2f34d
affected

d9f9d96136cba8fedd647d2c024342ce090133c2 before 5263822558a8a7c0d0248d5679c2dcf4d5cda61f
affected

d9f9d96136cba8fedd647d2c024342ce090133c2 before fdf480da5837c23b146c4743c18de97202fcab37
affected

4ea25fa8747fb8b1e5a11d87b852023ecf7ae420
affected

676a787048aafd4d1b38a522b05a9cc77e1b0a33
affected

Default status
affected

6.13
affected

Any version before 6.13
unaffected

5.4.292
unaffected

5.10.236
unaffected

5.15.180
unaffected

6.1.134
unaffected

6.6.87
unaffected

6.12.23
unaffected

6.13.11
unaffected

6.14.2
unaffected

6.15
unaffected

References

git.kernel.org/...c/3d6fd5b9c6acbc005e53d0211c7381f566babec1

git.kernel.org/...c/50afcee7011155933d8d5e8832f52eeee018cfd3

git.kernel.org/...c/78c9cbde8880ec02d864c166bcb4fe989ce1d95f

git.kernel.org/...c/46e2c031aa59ea65128991cbca474bd5c0c2ecdb

git.kernel.org/...c/a8c31808925b11393a6601f534bb63bac5366bab

git.kernel.org/...c/0beddc2a3f9b9cf7d8887973041e36c2d0fa3652

git.kernel.org/...c/16d3d36436492aa248b2d8045e75585ebcc2f34d

git.kernel.org/...c/5263822558a8a7c0d0248d5679c2dcf4d5cda61f

git.kernel.org/...c/fdf480da5837c23b146c4743c18de97202fcab37

cve.org (CVE-2025-39735)

nvd.nist.gov (CVE-2025-39735)

Download JSON