CVE-2025-38203

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jfs: Fix null-ptr-deref in jfs_ioc_trim<br /> <br /> [ Syzkaller Report ]<br /> <br /> Oops: general protection fault, probably for non-canonical address<br /> 0xdffffc0000000087: 0000 [#1<br /> KASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f]<br /> CPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not tainted<br /> 6.13.0-rc6-gfbfd64d25c7a-dirty #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> Sched_ext: serialise (enabled+all), task: runnable_at=-30ms<br /> RIP: 0010:jfs_ioc_trim+0x34b/0x8f0<br /> Code: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93<br /> 90 82 fe ff 4c 89 ff 31 f6<br /> RSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206<br /> RAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a<br /> RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001<br /> RBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000<br /> R10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438<br /> FS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ? __die_body+0x61/0xb0<br /> ? die_addr+0xb1/0xe0<br /> ? exc_general_protection+0x333/0x510<br /> ? asm_exc_general_protection+0x26/0x30<br /> ? jfs_ioc_trim+0x34b/0x8f0<br /> jfs_ioctl+0x3c8/0x4f0<br /> ? __pfx_jfs_ioctl+0x10/0x10<br /> ? __pfx_jfs_ioctl+0x10/0x10<br /> __se_sys_ioctl+0x269/0x350<br /> ? __pfx___se_sys_ioctl+0x10/0x10<br /> ? do_syscall_64+0xfb/0x210<br /> do_syscall_64+0xee/0x210<br /> ? syscall_exit_to_user_mode+0x1e0/0x330<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7fe51f4903ad<br /> Code: c3 e8 a7 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48<br /> 89 f7 48 89 d6 48 89 ca 4d<br /> RSP: 002b:00007fe5202250c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> RAX: ffffffffffffffda RBX: 00007fe51f5cbf80 RCX: 00007fe51f4903ad<br /> RDX: 0000000020000680 RSI: 00000000c0185879 RDI: 0000000000000005<br /> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe520225640<br /> R13: 000000000000000e R14: 00007fe51f44fca0 R15: 00007fe52021d000<br /> <br /> Modules linked in:<br /> ---[ end trace 0000000000000000 ]---<br /> RIP: 0010:jfs_ioc_trim+0x34b/0x8f0<br /> Code: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93<br /> 90 82 fe ff 4c 89 ff 31 f6<br /> RSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206<br /> RAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a<br /> RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001<br /> RBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000<br /> R10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438<br /> FS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Kernel panic - not syncing: Fatal exception<br /> <br /> [ Analysis ]<br /> <br /> We believe that we have found a concurrency bug in the `fs/jfs` module<br /> that results in a null pointer dereference. There is a closely related<br /> issue which has been fixed:<br /> <br /> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234<br /> <br /> ... but, unfortunately, the accepted patch appears to still be<br /> susceptible to a null pointer dereference under some interleavings.<br /> <br /> To trigger the bug, we think that `JFS_SBI(ipbmap-&gt;i_sb)-&gt;bmap` is set<br /> to NULL in `dbFreeBits` and then dereferenced in `jfs_ioc_trim`. This<br /> bug manifests quite rarely under normal circumstances, but is<br /> triggereable from a syz-program.