CVE-2025-37742

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jfs: Fix uninit-value access of imap allocated in the diMount() function<br /> <br /> syzbot reports that hex_dump_to_buffer is using uninit-value:<br /> <br /> =====================================================<br /> BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171<br /> hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171<br /> print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276<br /> diFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876<br /> jfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156<br /> evict+0x723/0xd10 fs/inode.c:796<br /> iput_final fs/inode.c:1946 [inline]<br /> iput+0x97b/0xdb0 fs/inode.c:1972<br /> txUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367<br /> txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]<br /> jfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733<br /> kthread+0x6b9/0xef0 kernel/kthread.c:464<br /> ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slub.c:4121 [inline]<br /> slab_alloc_node mm/slub.c:4164 [inline]<br /> __kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320<br /> kmalloc_noprof include/linux/slab.h:901 [inline]<br /> diMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105<br /> jfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176<br /> jfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523<br /> get_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636<br /> get_tree_bdev+0x37/0x50 fs/super.c:1659<br /> jfs_get_tree+0x34/0x40 fs/jfs/super.c:635<br /> vfs_get_tree+0xb1/0x5a0 fs/super.c:1814<br /> do_new_mount+0x71f/0x15e0 fs/namespace.c:3560<br /> path_mount+0x742/0x1f10 fs/namespace.c:3887<br /> do_mount fs/namespace.c:3900 [inline]<br /> __do_sys_mount fs/namespace.c:4111 [inline]<br /> __se_sys_mount+0x71f/0x800 fs/namespace.c:4088<br /> __x64_sys_mount+0xe4/0x150 fs/namespace.c:4088<br /> x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> =====================================================<br /> <br /> The reason is that imap is not properly initialized after memory<br /> allocation. It will cause the snprintf() function to write uninitialized<br /> data into linebuf within hex_dump_to_buffer().<br /> <br /> Fix this by using kzalloc instead of kmalloc to clear its content at the<br /> beginning in diMount().