CVE-2025-40205

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: avoid potential out-of-bounds in btrfs_encode_fh()<br /> <br /> The function btrfs_encode_fh() does not properly account for the three<br /> cases it handles.<br /> <br /> Before writing to the file handle (fh), the function only returns to the<br /> user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or<br /> BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).<br /> <br /> However, when a parent exists and the root ID of the parent and the<br /> inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT<br /> (10 dwords, 40 bytes).<br /> <br /> If *max_len is not large enough, this write goes out of bounds because<br /> BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than<br /> BTRFS_FID_SIZE_CONNECTABLE originally returned.<br /> <br /> This results in an 8-byte out-of-bounds write at<br /> fid-&gt;parent_root_objectid = parent_root_id.<br /> <br /> A previous attempt to fix this issue was made but was lost.<br /> <br /> https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/<br /> <br /> Although this issue does not seem to be easily triggerable, it is a<br /> potential memory corruption bug that should be fixed. This patch<br /> resolves the issue by ensuring the function returns the appropriate size<br /> for all three cases and validates that *max_len is large enough before<br /> writing any data.