Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-37738

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
01/05/2025
Last modified:
04/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: ignore xattrs past end<br /> <br /> Once inside &amp;#39;ext4_xattr_inode_dec_ref_all&amp;#39; we should<br /> ignore xattrs entries past the &amp;#39;end&amp;#39; entry.<br /> <br /> This fixes the following KASAN reported issue:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90<br /> Read of size 4 at addr ffff888012c120c4 by task repro/2065<br /> <br /> CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x1fd/0x300<br /> ? tcp_gro_dev_warn+0x260/0x260<br /> ? _printk+0xc0/0x100<br /> ? read_lock_is_recursive+0x10/0x10<br /> ? irq_work_queue+0x72/0xf0<br /> ? __virt_addr_valid+0x17b/0x4b0<br /> print_address_description+0x78/0x390<br /> print_report+0x107/0x1f0<br /> ? __virt_addr_valid+0x17b/0x4b0<br /> ? __virt_addr_valid+0x3ff/0x4b0<br /> ? __phys_addr+0xb5/0x160<br /> ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90<br /> kasan_report+0xcc/0x100<br /> ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90<br /> ext4_xattr_inode_dec_ref_all+0xb8c/0xe90<br /> ? ext4_xattr_delete_inode+0xd30/0xd30<br /> ? __ext4_journal_ensure_credits+0x5f0/0x5f0<br /> ? __ext4_journal_ensure_credits+0x2b/0x5f0<br /> ? inode_update_timestamps+0x410/0x410<br /> ext4_xattr_delete_inode+0xb64/0xd30<br /> ? ext4_truncate+0xb70/0xdc0<br /> ? ext4_expand_extra_isize_ea+0x1d20/0x1d20<br /> ? __ext4_mark_inode_dirty+0x670/0x670<br /> ? ext4_journal_check_start+0x16f/0x240<br /> ? ext4_inode_is_fast_symlink+0x2f2/0x3a0<br /> ext4_evict_inode+0xc8c/0xff0<br /> ? ext4_inode_is_fast_symlink+0x3a0/0x3a0<br /> ? do_raw_spin_unlock+0x53/0x8a0<br /> ? ext4_inode_is_fast_symlink+0x3a0/0x3a0<br /> evict+0x4ac/0x950<br /> ? proc_nr_inodes+0x310/0x310<br /> ? trace_ext4_drop_inode+0xa2/0x220<br /> ? _raw_spin_unlock+0x1a/0x30<br /> ? iput+0x4cb/0x7e0<br /> do_unlinkat+0x495/0x7c0<br /> ? try_break_deleg+0x120/0x120<br /> ? 0xffffffff81000000<br /> ? __check_object_size+0x15a/0x210<br /> ? strncpy_from_user+0x13e/0x250<br /> ? getname_flags+0x1dc/0x530<br /> __x64_sys_unlinkat+0xc8/0xf0<br /> do_syscall_64+0x65/0x110<br /> entry_SYSCALL_64_after_hwframe+0x67/0x6f<br /> RIP: 0033:0x434ffd<br /> Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8<br /> RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107<br /> RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd<br /> RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005<br /> RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001<br /> R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001<br /> <br /> <br /> The buggy address belongs to the object at ffff888012c12000<br /> which belongs to the cache filp of size 360<br /> The buggy address is located 196 bytes inside of<br /> freed 360-byte region [ffff888012c12000, ffff888012c12168)<br /> <br /> The buggy address belongs to the physical page:<br /> page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12<br /> head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0<br /> flags: 0x40(head|node=0|zone=0)<br /> page_type: f5(slab)<br /> raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004<br /> raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000<br /> head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004<br /> head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000<br /> head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000<br /> head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> &gt; ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ^<br /> ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc<br /> ffff888012c12180: fc fc fc fc fc fc fc fc fc<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.4.293 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.237 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.181 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.135 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.88 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.24 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.12 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.14 (including) 6.14.3 (excluding)
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools