CVE-2025-40044
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
28/10/2025
Última modificación:
29/10/2025
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
fs: udf: fix OOB read in lengthAllocDescs handling<br />
<br />
When parsing Allocation Extent Descriptor, lengthAllocDescs comes from<br />
on-disk data and must be validated against the block size. Crafted or<br />
corrupted images may set lengthAllocDescs so that the total descriptor<br />
length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,<br />
leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and<br />
trigger a KASAN use-after-free read.<br />
<br />
BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60<br />
Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309<br />
<br />
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0<br />
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:94 [inline]<br />
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br />
print_address_description mm/kasan/report.c:377 [inline]<br />
print_report+0x169/0x550 mm/kasan/report.c:488<br />
kasan_report+0x143/0x180 mm/kasan/report.c:601<br />
crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60<br />
udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261<br />
udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179<br />
extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46<br />
udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106<br />
udf_release_file+0xc1/0x120 fs/udf/file.c:185<br />
__fput+0x23f/0x880 fs/file_table.c:431<br />
task_work_run+0x24f/0x310 kernel/task_work.c:239<br />
exit_task_work include/linux/task_work.h:43 [inline]<br />
do_exit+0xa2f/0x28e0 kernel/exit.c:939<br />
do_group_exit+0x207/0x2c0 kernel/exit.c:1088<br />
__do_sys_exit_group kernel/exit.c:1099 [inline]<br />
__se_sys_exit_group kernel/exit.c:1097 [inline]<br />
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097<br />
x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
<br />
Validate the computed total length against epos->bh->b_size.<br />
<br />
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/14496175b264d30c2045584ee31d062af2e3a660
- https://git.kernel.org/stable/c/1d1847812a1a5375c10a2a779338df643f79c047
- https://git.kernel.org/stable/c/3bd5e45c2ce30e239d596becd5db720f7eb83c99
- https://git.kernel.org/stable/c/459404f858213967ccfff336c41747d8dd186d38
- https://git.kernel.org/stable/c/918649364fbca7d5df72522ca795479edcd25f91
- https://git.kernel.org/stable/c/a70dcfa8d0a0cc530a6af59483dfca260b652c1b
- https://git.kernel.org/stable/c/b57f2d7d3e6bb89ed82330c5fe106cdfa34d3e24
- https://git.kernel.org/stable/c/d2ed9aa8ae50fb0d4ac5ab07e4c67ba7e9a24818