CVE-2025-39723

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfs: Fix unbuffered write error handling<br /> <br /> If all the subrequests in an unbuffered write stream fail, the subrequest<br /> collector doesn&amp;#39;t update the stream-&gt;transferred value and it retains its<br /> initial LONG_MAX value. Unfortunately, if all active streams fail, then we<br /> take the smallest value of { LONG_MAX, LONG_MAX, ... } as the value to set<br /> in wreq-&gt;transferred - which is then returned from -&gt;write_iter().<br /> <br /> LONG_MAX was chosen as the initial value so that all the streams can be<br /> quickly assessed by taking the smallest value of all stream-&gt;transferred -<br /> but this only works if we&amp;#39;ve set any of them.<br /> <br /> Fix this by adding a flag to indicate whether the value in<br /> stream-&gt;transferred is valid and checking that when we integrate the<br /> values. stream-&gt;transferred can then be initialised to zero.<br /> <br /> This was found by running the generic/750 xfstest against cifs with<br /> cache=none. It splices data to the target file. Once (if) it has used up<br /> all the available scratch space, the writes start failing with ENOSPC.<br /> This causes -&gt;write_iter() to fail. However, it was returning<br /> wreq-&gt;transferred, i.e. LONG_MAX, rather than an error (because it thought<br /> the amount transferred was non-zero) and iter_file_splice_write() would<br /> then try to clean up that amount of pipe bufferage - leading to an oops<br /> when it overran. The kernel log showed:<br /> <br /> CIFS: VFS: Send error in write = -28<br /> <br /> followed by:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000008<br /> <br /> with:<br /> <br /> RIP: 0010:iter_file_splice_write+0x3a4/0x520<br /> do_splice+0x197/0x4e0<br /> <br /> or:<br /> <br /> RIP: 0010:pipe_buf_release (include/linux/pipe_fs_i.h:282)<br /> iter_file_splice_write (fs/splice.c:755)<br /> <br /> Also put a warning check into splice to announce if -&gt;write_iter() returned<br /> that it had written more than it was asked to.