CVE-2025-39691
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
05/09/2025
Last modified:
08/09/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
fs/buffer: fix use-after-free when call bh_read() helper<br />
<br />
There&#39;s issue as follows:<br />
BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110<br />
Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0<br />
CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x55/0x70<br />
print_address_description.constprop.0+0x2c/0x390<br />
print_report+0xb4/0x270<br />
kasan_report+0xb8/0xf0<br />
end_buffer_read_sync+0xe3/0x110<br />
end_bio_bh_io_sync+0x56/0x80<br />
blk_update_request+0x30a/0x720<br />
scsi_end_request+0x51/0x2b0<br />
scsi_io_completion+0xe3/0x480<br />
? scsi_device_unbusy+0x11e/0x160<br />
blk_complete_reqs+0x7b/0x90<br />
handle_softirqs+0xef/0x370<br />
irq_exit_rcu+0xa5/0xd0<br />
sysvec_apic_timer_interrupt+0x6e/0x90<br />
<br />
<br />
Above issue happens when do ntfs3 filesystem mount, issue may happens<br />
as follows:<br />
mount IRQ<br />
ntfs_fill_super<br />
read_cache_page<br />
do_read_cache_folio<br />
filemap_read_folio<br />
mpage_read_folio<br />
do_mpage_readpage<br />
ntfs_get_block_vbo<br />
bh_read<br />
submit_bh<br />
wait_on_buffer(bh);<br />
blk_complete_reqs<br />
scsi_io_completion<br />
scsi_end_request<br />
blk_update_request<br />
end_bio_bh_io_sync<br />
end_buffer_read_sync<br />
__end_buffer_read_notouch<br />
unlock_buffer<br />
<br />
wait_on_buffer(bh);--> return will return to caller<br />
<br />
put_bh<br />
--> trigger stack-out-of-bounds<br />
In the mpage_read_folio() function, the stack variable &#39;map_bh&#39; is<br />
passed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and<br />
wait_on_buffer() returns to continue processing, the stack variable<br />
is likely to be reclaimed. Consequently, during the end_buffer_read_sync()<br />
process, calling put_bh() may result in stack overrun.<br />
<br />
If the bh is not allocated on the stack, it belongs to a folio. Freeing<br />
a buffer head which belongs to a folio is done by drop_buffers() which<br />
will fail to free buffers which are still locked. So it is safe to call<br />
put_bh() before __end_buffer_read_notouch().
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/03b40bf5d0389ca23ae6857ee25789f0e0b47ce8
- https://git.kernel.org/stable/c/042cf48ecf67f72c8b3846c7fac678f472712ff3
- https://git.kernel.org/stable/c/3169edb8945c295cf89120fc6b2c35cfe3ad4c9e
- https://git.kernel.org/stable/c/70a09115da586bf662c3bae9c0c4a1b99251fad9
- https://git.kernel.org/stable/c/7375f22495e7cd1c5b3b5af9dcc4f6dffe34ce49
- https://git.kernel.org/stable/c/90b5193edb323fefbee0e4e5bc39ed89dcc37719
- https://git.kernel.org/stable/c/c58c6b532b7b69537cfd9ef701c7e37cdcf79dc4
- https://git.kernel.org/stable/c/c5aa6ba1127307ab5dc3773eaf40d73a3423841f