Home

Description

In the Linux kernel, the following vulnerability has been resolved: hfs: validate record offset in hfsplus_bmap_alloc hfsplus_bmap_alloc can trigger a crash if a record offset or length is larger than node_size [ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0 [ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183 [ 15.265949] [ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary) [ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.266167] Call Trace: [ 15.266168] <TASK> [ 15.266169] dump_stack_lvl+0x53/0x70 [ 15.266173] print_report+0xd0/0x660 [ 15.266181] kasan_report+0xce/0x100 [ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0 [ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0 [ 15.266217] hfsplus_brec_insert+0x870/0xb00 [ 15.266222] __hfsplus_ext_write_extent+0x428/0x570 [ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910 [ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200 [ 15.266233] hfsplus_file_extend+0x5a7/0x1000 [ 15.266237] hfsplus_get_block+0x12b/0x8c0 [ 15.266238] __block_write_begin_int+0x36b/0x12c0 [ 15.266251] block_write_begin+0x77/0x110 [ 15.266252] cont_write_begin+0x428/0x720 [ 15.266259] hfsplus_write_begin+0x51/0x100 [ 15.266262] cont_write_begin+0x272/0x720 [ 15.266270] hfsplus_write_begin+0x51/0x100 [ 15.266274] generic_perform_write+0x321/0x750 [ 15.266285] generic_file_write_iter+0xc3/0x310 [ 15.266289] __kernel_write_iter+0x2fd/0x800 [ 15.266296] dump_user_range+0x2ea/0x910 [ 15.266301] elf_core_dump+0x2a94/0x2ed0 [ 15.266320] vfs_coredump+0x1d85/0x45e0 [ 15.266349] get_signal+0x12e3/0x1990 [ 15.266357] arch_do_signal_or_restart+0x89/0x580 [ 15.266362] irqentry_exit_to_user_mode+0xab/0x110 [ 15.266364] asm_exc_page_fault+0x26/0x30 [ 15.266366] RIP: 0033:0x41bd35 [ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f [ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283 [ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000 [ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100 [ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000 [ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000 [ 15.266376] </TASK> When calling hfsplus_bmap_alloc to allocate a free node, this function first retrieves the bitmap from header node and map node using node->page together with the offset and length from hfs_brec_lenoff ``` len = hfs_brec_lenoff(node, 2, &off16); off = off16; off += node->page_offset; pagep = node->page + (off >> PAGE_SHIFT); data = kmap_local_page(*pagep); ``` However, if the retrieved offset or length is invalid(i.e. exceeds node_size), the code may end up accessing pages outside the allocated range for this node. This patch adds proper validation of both offset and length before use, preventing out-of-bounds page access. Move is_bnode_offset_valid and check_and_correct_requested_length to hfsplus_fs.h, as they may be required by other functions.

PUBLISHED Reserved 2025-04-16 | Published 2025-12-16 | Updated 2025-12-16 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before f7d9f600c7c3ff5dab36181a388af55f2c95604c
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 40dfe7a4215a1f20842561ffaf5a6f83a987e75b
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 418e48cab99c52c1760636a4dbe464bf6db2018b
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 0058d20d76182861dbdd8fd6e2dd8d18d6d3becf
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 4f40a2b3969daf10dca4dea6f6dd0e813f79b227
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 17ed51cfce6c62cffb97059ef392ad2e0245806e
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 068a46df3e6acc68fb9db0a6313ab379a11ecd6f
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20
affected

Default status
affected

5.4.301 (semver)
unaffected

5.10.246 (semver)
unaffected

5.15.196 (semver)
unaffected

6.1.158 (semver)
unaffected

6.6.115 (semver)
unaffected

6.12.56 (semver)
unaffected

6.17.6 (semver)
unaffected

6.18 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/f7d9f600c7c3ff5dab36181a388af55f2c95604c

git.kernel.org/...c/40dfe7a4215a1f20842561ffaf5a6f83a987e75b

git.kernel.org/...c/418e48cab99c52c1760636a4dbe464bf6db2018b

git.kernel.org/...c/0058d20d76182861dbdd8fd6e2dd8d18d6d3becf

git.kernel.org/...c/4f40a2b3969daf10dca4dea6f6dd0e813f79b227

git.kernel.org/...c/17ed51cfce6c62cffb97059ef392ad2e0245806e

git.kernel.org/...c/068a46df3e6acc68fb9db0a6313ab379a11ecd6f

git.kernel.org/...c/738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20

cve.org (CVE-2025-40349)

nvd.nist.gov (CVE-2025-40349)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.