CVE-2025-40167

Description

In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.

PUBLISHED Reserved 2025-04-16 | Published 2025-11-12 | Updated 2025-12-01 | Assigner Linux

Product status

References

git.kernel.org/...c/4954d297c91d292630ab43ba4d195dc371ce65d3

git.kernel.org/...c/f061f7c331fc16250fc82aa68964f35821687217

git.kernel.org/...c/2e9e10657b04152ed0d6ecae8d0c02a3405e28f5

git.kernel.org/...c/1437c95ab2a28b138d4521653583729f61ccb48b

git.kernel.org/...c/cb6039b68efa547b676a8a10fc4618d9d1865c23

git.kernel.org/...c/de985264eef64be8a90595908f2e6a87946dad34

git.kernel.org/...c/1f5ccd22ff482639133f2a0fe08f6d19d0e68717

git.kernel.org/...c/1d3ad183943b38eec2acf72a0ae98e635dc8456b

cve.org (CVE-2025-40167)

nvd.nist.gov (CVE-2025-40167)

Download JSON