CVE-2025-40295

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fscrypt: fix left shift underflow when inode-&gt;i_blkbits &gt; PAGE_SHIFT<br /> <br /> When simulating an nvme device on qemu with both logical_block_size and<br /> physical_block_size set to 8 KiB, an error trace appears during<br /> partition table reading at boot time. The issue is caused by<br /> inode-&gt;i_blkbits being larger than PAGE_SHIFT, which leads to a left<br /> shift of -1 and triggering a UBSAN warning.<br /> <br /> [ 2.697306] ------------[ cut here ]------------<br /> [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37<br /> [ 2.697311] shift exponent -1 is negative<br /> [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary)<br /> [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> [ 2.697320] Call Trace:<br /> [ 2.697324] <br /> [ 2.697325] dump_stack_lvl+0x76/0xa0<br /> [ 2.697340] dump_stack+0x10/0x20<br /> [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390<br /> [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94<br /> [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90<br /> [ 2.697365] submit_bh_wbc+0xb6/0x190<br /> [ 2.697370] block_read_full_folio+0x194/0x270<br /> [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10<br /> [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10<br /> [ 2.697377] blkdev_read_folio+0x18/0x30<br /> [ 2.697379] filemap_read_folio+0x40/0xe0<br /> [ 2.697382] filemap_get_pages+0x5ef/0x7a0<br /> [ 2.697385] ? mmap_region+0x63/0xd0<br /> [ 2.697389] filemap_read+0x11d/0x520<br /> [ 2.697392] blkdev_read_iter+0x7c/0x180<br /> [ 2.697393] vfs_read+0x261/0x390<br /> [ 2.697397] ksys_read+0x71/0xf0<br /> [ 2.697398] __x64_sys_read+0x19/0x30<br /> [ 2.697399] x64_sys_call+0x1e88/0x26a0<br /> [ 2.697405] do_syscall_64+0x80/0x670<br /> [ 2.697410] ? __x64_sys_newfstat+0x15/0x20<br /> [ 2.697414] ? x64_sys_call+0x204a/0x26a0<br /> [ 2.697415] ? do_syscall_64+0xb8/0x670<br /> [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0<br /> [ 2.697420] ? irqentry_exit+0x43/0x50<br /> [ 2.697421] ? exc_page_fault+0x90/0x1b0<br /> [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 2.697425] RIP: 0033:0x75054cba4a06<br /> [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08<br /> [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000<br /> [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06<br /> [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b<br /> [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000<br /> [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000<br /> [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0<br /> [ 2.697436] <br /> [ 2.697436] ---[ end trace ]---<br /> <br /> This situation can happen for block devices because when<br /> CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size<br /> is 64 KiB. set_init_blocksize() then sets the block device<br /> inode-&gt;i_blkbits to 13, which is within this limit.<br /> <br /> File I/O does not trigger this problem because for filesystems that do<br /> not support the FS_LBS feature, sb_set_blocksize() prevents<br /> sb-&gt;s_blocksize_bits from being larger than PAGE_SHIFT. During inode<br /> allocation, alloc_inode()-&gt;inode_init_always() assigns inode-&gt;i_blkbits<br /> from sb-&gt;s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS<br /> flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not<br /> hit the left-shift underflow issue.<br /> <br /> [EB: use folio_pos() and consolidate the two shifts by i_blkbits]