CVE-2025-37739

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()<br /> <br /> syzbot reports an UBSAN issue as below:<br /> <br /> ------------[ cut here ]------------<br /> UBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10<br /> index 18446744073709550692 is out of range for type &amp;#39;__le32[5]&amp;#39; (aka &amp;#39;unsigned int[5]&amp;#39;)<br /> CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> ubsan_epilogue lib/ubsan.c:231 [inline]<br /> __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429<br /> get_nid fs/f2fs/node.h:381 [inline]<br /> f2fs_truncate_inode_blocks+0xa5e/0xf60 fs/f2fs/node.c:1181<br /> f2fs_do_truncate_blocks+0x782/0x1030 fs/f2fs/file.c:808<br /> f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:836<br /> f2fs_truncate+0x417/0x720 fs/f2fs/file.c:886<br /> f2fs_file_write_iter+0x1bdb/0x2550 fs/f2fs/file.c:5093<br /> aio_write+0x56b/0x7c0 fs/aio.c:1633<br /> io_submit_one+0x8a7/0x18a0 fs/aio.c:2052<br /> __do_sys_io_submit fs/aio.c:2111 [inline]<br /> __se_sys_io_submit+0x171/0x2e0 fs/aio.c:2081<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f238798cde9<br /> <br /> index 18446744073709550692 (decimal, unsigned long long)<br /> = 0xfffffffffffffc64 (hexadecimal, unsigned long long)<br /> = -924 (decimal, long long)<br /> <br /> In f2fs_truncate_inode_blocks(), UBSAN detects that get_nid() tries to<br /> access .i_nid[-924], it means both offset[0] and level should zero.<br /> <br /> The possible case should be in f2fs_do_truncate_blocks(), we try to<br /> truncate inode size to zero, however, dn.ofs_in_node is zero and<br /> dn.node_page is not an inode page, so it fails to truncate inode page,<br /> and then pass zeroed free_from to f2fs_truncate_inode_blocks(), result<br /> in this issue.<br /> <br /> if (dn.ofs_in_node || IS_INODE(dn.node_page)) {<br /> f2fs_truncate_data_blocks_range(&amp;dn, count);<br /> free_from += count;<br /> }<br /> <br /> I guess the reason why dn.node_page is not an inode page could be: there<br /> are multiple nat entries share the same node block address, once the node<br /> block address was reused, f2fs_get_node_page() may load a non-inode block.<br /> <br /> Let&amp;#39;s add a sanity check for such condition to avoid out-of-bounds access<br /> issue.