CVE-2025-23150

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix off-by-one error in do_split<br /> <br /> Syzkaller detected a use-after-free issue in ext4_insert_dentry that was<br /> caused by out-of-bounds access due to incorrect splitting in do_split.<br /> <br /> BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109<br /> Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847<br /> <br /> CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:377 [inline]<br /> print_report+0x169/0x550 mm/kasan/report.c:488<br /> kasan_report+0x143/0x180 mm/kasan/report.c:601<br /> kasan_check_range+0x282/0x290 mm/kasan/generic.c:189<br /> __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106<br /> ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109<br /> add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154<br /> make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351<br /> ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455<br /> ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796<br /> ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431<br /> vfs_symlink+0x137/0x2e0 fs/namei.c:4615<br /> do_symlinkat+0x222/0x3a0 fs/namei.c:4641<br /> __do_sys_symlink fs/namei.c:4662 [inline]<br /> __se_sys_symlink fs/namei.c:4660 [inline]<br /> __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> The following loop is located right above &amp;#39;if&amp;#39; statement.<br /> <br /> for (i = count-1; i &gt;= 0; i--) {<br /> /* is more than half of this entry in 2nd half of the block? */<br /> if (size + map[i].size/2 &gt; blocksize/2)<br /> break;<br /> size += map[i].size;<br /> move++;<br /> }<br /> <br /> &amp;#39;i&amp;#39; in this case could go down to -1, in which case sum of active entries<br /> wouldn&amp;#39;t exceed half the block size, but previous behaviour would also do<br /> split in half if sum would exceed at the very last block, which in case of<br /> having too many long name files in a single block could lead to<br /> out-of-bounds access and following use-after-free.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.