CVE-2025-38203
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/07/2025
Last modified:
08/07/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
jfs: Fix null-ptr-deref in jfs_ioc_trim<br />
<br />
[ Syzkaller Report ]<br />
<br />
Oops: general protection fault, probably for non-canonical address<br />
0xdffffc0000000087: 0000 [#1<br />
KASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f]<br />
CPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not tainted<br />
6.13.0-rc6-gfbfd64d25c7a-dirty #1<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br />
Sched_ext: serialise (enabled+all), task: runnable_at=-30ms<br />
RIP: 0010:jfs_ioc_trim+0x34b/0x8f0<br />
Code: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93<br />
90 82 fe ff 4c 89 ff 31 f6<br />
RSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206<br />
RAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a<br />
RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001<br />
RBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000<br />
R10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000<br />
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438<br />
FS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0<br />
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />
Call Trace:<br />
<br />
? __die_body+0x61/0xb0<br />
? die_addr+0xb1/0xe0<br />
? exc_general_protection+0x333/0x510<br />
? asm_exc_general_protection+0x26/0x30<br />
? jfs_ioc_trim+0x34b/0x8f0<br />
jfs_ioctl+0x3c8/0x4f0<br />
? __pfx_jfs_ioctl+0x10/0x10<br />
? __pfx_jfs_ioctl+0x10/0x10<br />
__se_sys_ioctl+0x269/0x350<br />
? __pfx___se_sys_ioctl+0x10/0x10<br />
? do_syscall_64+0xfb/0x210<br />
do_syscall_64+0xee/0x210<br />
? syscall_exit_to_user_mode+0x1e0/0x330<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
RIP: 0033:0x7fe51f4903ad<br />
Code: c3 e8 a7 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48<br />
89 f7 48 89 d6 48 89 ca 4d<br />
RSP: 002b:00007fe5202250c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br />
RAX: ffffffffffffffda RBX: 00007fe51f5cbf80 RCX: 00007fe51f4903ad<br />
RDX: 0000000020000680 RSI: 00000000c0185879 RDI: 0000000000000005<br />
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000<br />
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe520225640<br />
R13: 000000000000000e R14: 00007fe51f44fca0 R15: 00007fe52021d000<br />
<br />
Modules linked in:<br />
---[ end trace 0000000000000000 ]---<br />
RIP: 0010:jfs_ioc_trim+0x34b/0x8f0<br />
Code: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93<br />
90 82 fe ff 4c 89 ff 31 f6<br />
RSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206<br />
RAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a<br />
RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001<br />
RBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000<br />
R10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000<br />
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438<br />
FS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0<br />
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />
Kernel panic - not syncing: Fatal exception<br />
<br />
[ Analysis ]<br />
<br />
We believe that we have found a concurrency bug in the `fs/jfs` module<br />
that results in a null pointer dereference. There is a closely related<br />
issue which has been fixed:<br />
<br />
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234<br />
<br />
... but, unfortunately, the accepted patch appears to still be<br />
susceptible to a null pointer dereference under some interleavings.<br />
<br />
To trigger the bug, we think that `JFS_SBI(ipbmap->i_sb)->bmap` is set<br />
to NULL in `dbFreeBits` and then dereferenced in `jfs_ioc_trim`. This<br />
bug manifests quite rarely under normal circumstances, but is<br />
triggereable from a syz-program.
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0d50231d473f89024158dc62624930de45d13718
- https://git.kernel.org/stable/c/4a8cb9908b51500a76f5156423bd295df53bff89
- https://git.kernel.org/stable/c/9806ae34d7d661c372247cd36f83bfa0523d60ed
- https://git.kernel.org/stable/c/a4685408ff6c3e2af366ad9a7274f45ff3f394ee
- https://git.kernel.org/stable/c/a9d41c925069c950e18160e12a7e10e0f58c56fb