CVE-2025-38415

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Squashfs: check return result of sb_min_blocksize<br /> <br /> Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug.<br /> <br /> Syzkaller forks multiple processes which after mounting the Squashfs<br /> filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000). <br /> Now if this ioctl occurs at the same time another process is in the<br /> process of mounting a Squashfs filesystem on /dev/loop0, the failure<br /> occurs. When this happens the following code in squashfs_fill_super()<br /> fails.<br /> <br /> ----<br /> msblk-&gt;devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);<br /> msblk-&gt;devblksize_log2 = ffz(~msblk-&gt;devblksize);<br /> ----<br /> <br /> sb_min_blocksize() returns 0, which means msblk-&gt;devblksize is set to 0.<br /> <br /> As a result, ffz(~msblk-&gt;devblksize) returns 64, and msblk-&gt;devblksize_log2<br /> is set to 64.<br /> <br /> This subsequently causes the<br /> <br /> UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36<br /> shift exponent 64 is too large for 64-bit type &amp;#39;u64&amp;#39; (aka<br /> &amp;#39;unsigned long long&amp;#39;)<br /> <br /> This commit adds a check for a 0 return by sb_min_blocksize().