CVE-2025-37739

HIGH EPSS 5.7%
Published May 1, 20251y ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published May 1, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() syzbot reports an UBSAN issue as below: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10 index 18446744073709550692 is out of range for type '__le32[5]' (aka 'unsigned int[5]') CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429 get_nid fs/f2fs/node.h:381 [inline] f2fs_truncate_inode_blocks+0xa5e/0xf60 fs/f2fs/node.c:1181 f2fs_do_truncate_blocks+0x782/0x1030 fs/f2fs/file.c:808 f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:836 f2fs_truncate+0x417/0x720 fs/f2fs/file.c:886 f2fs_file_write_iter+0x1bdb/0x2550 fs/f2fs/file.c:5093 aio_write+0x56b/0x7c0 fs/aio.c:1633 io_submit_one+0x8a7/0x18a0 fs/aio.c:2052 __do_sys_io_submit fs/aio.c:2111 [inline] __se_sys_io_submit+0x171/0x2e0 fs/aio.c:2081 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f238798cde9 index 18446744073709550692 (decimal, unsigned long long) = 0xfffffffffffffc64 (hexadecimal, unsigned long long) = -924 (decimal, long long) In f2fs_truncate_inode_blocks(), UBSAN detects that get_nid() tries to access .i_nid[-924], it means both offset[0] and level should zero. The possible case should be in f2fs_do_truncate_blocks(), we try to truncate inode size to zero, however, dn.ofs_in_node is zero and dn.node_page is not an inode page, so it fails to truncate inode page, and then pass zeroed free_from to f2fs_truncate_inode_blocks(), result in this issue. if (dn.ofs_in_node || IS_INODE(dn.node_page)) { f2fs_truncate_data_blocks_range(&dn, count); free_from += count; } I guess the reason why dn.node_page is not an inode page could be: there are multiple nat entries share the same node block address, once the node block address was reused, f2fs_get_node_page() may load a non-inode block. Let's add a sanity check for such condition to avoid out-of-bounds access issue.

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
5.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 8

VendorProductVersionRange
linuxlinux_kernel*≥3.8  –  <5.10.237
linuxlinux_kernel*≥5.11  –  <5.15.181
linuxlinux_kernel*≥5.16  –  <6.1.135
linuxlinux_kernel*≥6.2  –  <6.6.88
linuxlinux_kernel*≥6.7  –  <6.12.24
linuxlinux_kernel*≥6.13  –  <6.13.12
linuxlinux_kernel*≥6.14  –  <6.14.3
debiandebian_linux11.0any

References 10

  • git.kernel.org https://git.kernel.org/stable/c/67e16ccba74dd8de0a7b10062f1e02d77432f573
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6ba8b41d0aa4b82f90f0c416cb53fcef9696525d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8b5e5aac44fee122947a269f9034c048e4c295de
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/98dbf2af63de0b551082c9bc48333910e009b09f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a67e1bf03c609a751d1740a1789af25e599966fa
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d7242fd7946d4cba0411effb6b5048ca55125747
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e6494977bd4a83862118a05f57a8df40256951c0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ecc461331604b07cdbdb7360dbdf78471653264c
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
    Mailing List
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
    Mailing List

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/67e16ccba74dd8de0a7b10062f1e02d77432f573
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6ba8b41d0aa4b82f90f0c416cb53fcef9696525d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8b5e5aac44fee122947a269f9034c048e4c295de
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/98dbf2af63de0b551082c9bc48333910e009b09f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a67e1bf03c609a751d1740a1789af25e599966fa
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d7242fd7946d4cba0411effb6b5048ca55125747
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e6494977bd4a83862118a05f57a8df40256951c0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ecc461331604b07cdbdb7360dbdf78471653264c
    Patch