Home

Description

In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled; - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then "cur [0xfffffffffffff000] += bvec.bv_len [0x1000]" in "} while ((cur += bvec.bv_len) < end);" wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this.

PUBLISHED Reserved 2025-04-16 | Published 2025-12-04 | Updated 2025-12-04 | Assigner Linux

Product status

Default status
unaffected

1d191b4ca51d73699cb127386b95ac152af2b930 (git) before 00d8fe0b72f4ca0a983abced36aad2160038c421
affected

1d191b4ca51d73699cb127386b95ac152af2b930 (git) before a429b76114aaca3ef1aff4cd469dcf025431bd11
affected

Default status
affected

6.15
affected

Any version before 6.15
unaffected

6.17.6 (semver)
unaffected

6.18 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/00d8fe0b72f4ca0a983abced36aad2160038c421

git.kernel.org/...c/a429b76114aaca3ef1aff4cd469dcf025431bd11

cve.org (CVE-2025-40241)

nvd.nist.gov (CVE-2025-40241)