CVE-2025-40082

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()<br /> <br /> BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186<br /> Read of size 2 at addr ffff8880289ef218 by task syz.6.248/14290<br /> <br /> CPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0xca/0x5f0 mm/kasan/report.c:482<br /> kasan_report+0xca/0x100 mm/kasan/report.c:595<br /> hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186<br /> hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738<br /> vfs_listxattr+0xbe/0x140 fs/xattr.c:493<br /> listxattr+0xee/0x190 fs/xattr.c:924<br /> filename_listxattr fs/xattr.c:958 [inline]<br /> path_listxattrat+0x143/0x360 fs/xattr.c:988<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7fe0e9fae16d<br /> Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3<br /> RAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000<br /> RBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000<br /> <br /> <br /> Allocated by task 14290:<br /> kasan_save_stack+0x24/0x50 mm/kasan/common.c:47<br /> kasan_save_track+0x14/0x30 mm/kasan/common.c:68<br /> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br /> __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394<br /> kasan_kmalloc include/linux/kasan.h:260 [inline]<br /> __do_kmalloc_node mm/slub.c:4333 [inline]<br /> __kmalloc_noprof+0x219/0x540 mm/slub.c:4345<br /> kmalloc_noprof include/linux/slab.h:909 [inline]<br /> hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21<br /> hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697<br /> vfs_listxattr+0xbe/0x140 fs/xattr.c:493<br /> listxattr+0xee/0x190 fs/xattr.c:924<br /> filename_listxattr fs/xattr.c:958 [inline]<br /> path_listxattrat+0x143/0x360 fs/xattr.c:988<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> When hfsplus_uni2asc is called from hfsplus_listxattr,<br /> it actually passes in a struct hfsplus_attr_unistr*.<br /> The size of the corresponding structure is different from that of hfsplus_unistr,<br /> so the previous fix (94458781aee6) is insufficient.<br /> The pointer on the unicode buffer is still going beyond the allocated memory.<br /> <br /> This patch introduces two warpper functions hfsplus_uni2asc_xattr_str and<br /> hfsplus_uni2asc_str to process two unicode buffers,<br /> struct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively.<br /> When ustrlen value is bigger than the allocated memory size,<br /> the ustrlen value is limited to an safe size.