Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-22123

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/04/2025
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid accessing uninitialized curseg<br /> <br /> syzbot reports a f2fs bug as below:<br /> <br /> F2FS-fs (loop3): Stopped filesystem due to reason: 7<br /> kworker/u8:7: attempt to access beyond end of device<br /> BUG: unable to handle page fault for address: ffffed1604ea3dfa<br /> RIP: 0010:get_ckpt_valid_blocks fs/f2fs/segment.h:361 [inline]<br /> RIP: 0010:has_curseg_enough_space fs/f2fs/segment.h:570 [inline]<br /> RIP: 0010:__get_secs_required fs/f2fs/segment.h:620 [inline]<br /> RIP: 0010:has_not_enough_free_secs fs/f2fs/segment.h:633 [inline]<br /> RIP: 0010:has_enough_free_secs+0x575/0x1660 fs/f2fs/segment.h:649<br /> <br /> f2fs_is_checkpoint_ready fs/f2fs/segment.h:671 [inline]<br /> f2fs_write_inode+0x425/0x540 fs/f2fs/inode.c:791<br /> write_inode fs/fs-writeback.c:1525 [inline]<br /> __writeback_single_inode+0x708/0x10d0 fs/fs-writeback.c:1745<br /> writeback_sb_inodes+0x820/0x1360 fs/fs-writeback.c:1976<br /> wb_writeback+0x413/0xb80 fs/fs-writeback.c:2156<br /> wb_do_writeback fs/fs-writeback.c:2303 [inline]<br /> wb_workfn+0x410/0x1080 fs/fs-writeback.c:2343<br /> process_one_work kernel/workqueue.c:3236 [inline]<br /> process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317<br /> worker_thread+0x870/0xd30 kernel/workqueue.c:3398<br /> kthread+0x7a9/0x920 kernel/kthread.c:464<br /> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br /> <br /> Commit 8b10d3653735 ("f2fs: introduce FAULT_NO_SEGMENT") allows to trigger<br /> no free segment fault in allocator, then it will update curseg-&gt;segno to<br /> NULL_SEGNO, though, CP_ERROR_FLAG has been set, f2fs_write_inode() missed<br /> to check the flag, and access invalid curseg-&gt;segno directly in below call<br /> path, then resulting in panic:<br /> <br /> - f2fs_write_inode<br /> - f2fs_is_checkpoint_ready<br /> - has_enough_free_secs<br /> - has_not_enough_free_secs<br /> - __get_secs_required<br /> - has_curseg_enough_space<br /> - get_ckpt_valid_blocks<br /> : access invalid curseg-&gt;segno<br /> <br /> To avoid this issue, let&amp;#39;s:<br /> - check CP_ERROR_FLAG flag in prior to f2fs_is_checkpoint_ready() in<br /> f2fs_write_inode().<br /> - in has_curseg_enough_space(), save curseg-&gt;segno into a temp variable,<br /> and verify its validation before use.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.9 (including) 6.12.33 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.14.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools