Home

Description

In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau <w@1wt.eu> forwarded me a message from Disclosure <disclosure@aisle.com> with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr "security.capability" every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for "security.capability" resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture.

PUBLISHED Reserved 2025-04-16 | Published 2025-12-08 | Updated 2025-12-08 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before c6564ff6b53c9a8dc786b6f1c51ae7688273f931
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before ef892d2bf4f3fa2c8de1677dd307e678bdd3d865
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 15afebb9597449c444801d1ff0b8d8b311f950ab
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before bc812574de633cf9a9ad6974490e45f6a4bb5126
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before e09a096104fc65859422817fb2211f35855983fe
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 9127d1e90c90e5960c8bc72a4ce2c209691a7021
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before c2ca015ac109fd743fdde27933d59dc5ad46658e
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 025e880759c279ec64d0f754fe65bf45961da864
affected

Default status
affected

5.4.302 (semver)
unaffected

5.10.247 (semver)
unaffected

5.15.197 (semver)
unaffected

6.1.159 (semver)
unaffected

6.6.117 (semver)
unaffected

6.12.58 (semver)
unaffected

6.17.8 (semver)
unaffected

6.18 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/c6564ff6b53c9a8dc786b6f1c51ae7688273f931

git.kernel.org/...c/ef892d2bf4f3fa2c8de1677dd307e678bdd3d865

git.kernel.org/...c/15afebb9597449c444801d1ff0b8d8b311f950ab

git.kernel.org/...c/bc812574de633cf9a9ad6974490e45f6a4bb5126

git.kernel.org/...c/e09a096104fc65859422817fb2211f35855983fe

git.kernel.org/...c/9127d1e90c90e5960c8bc72a4ce2c209691a7021

git.kernel.org/...c/c2ca015ac109fd743fdde27933d59dc5ad46658e

git.kernel.org/...c/025e880759c279ec64d0f754fe65bf45961da864

cve.org (CVE-2025-40306)

nvd.nist.gov (CVE-2025-40306)

Download JSON