CVE-2025-37785

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix OOB read when checking dotdot dir<br /> <br /> Mounting a corrupted filesystem with directory which contains &amp;#39;.&amp;#39; dir<br /> entry with rec_len == block size results in out-of-bounds read (later<br /> on, when the corrupted directory is removed).<br /> <br /> ext4_empty_dir() assumes every ext4 directory contains at least &amp;#39;.&amp;#39;<br /> and &amp;#39;..&amp;#39; as directory entries in the first data block. It first loads<br /> the &amp;#39;.&amp;#39; dir entry, performs sanity checks by calling ext4_check_dir_entry()<br /> and then uses its rec_len member to compute the location of &amp;#39;..&amp;#39; dir<br /> entry (in ext4_next_entry). It assumes the &amp;#39;..&amp;#39; dir entry fits into the<br /> same data block.<br /> <br /> If the rec_len of &amp;#39;.&amp;#39; is precisely one block (4KB), it slips through the<br /> sanity checks (it is considered the last directory entry in the data<br /> block) and leaves "struct ext4_dir_entry_2 *de" point exactly past the<br /> memory slot allocated to the data block. The following call to<br /> ext4_check_dir_entry() on new value of de then dereferences this pointer<br /> which results in out-of-bounds mem access.<br /> <br /> Fix this by extending __ext4_check_dir_entry() to check for &amp;#39;.&amp;#39; dir<br /> entries that reach the end of data block. Make sure to ignore the phony<br /> dir entries for checksum (by checking name_len for non-zero).<br /> <br /> Note: This is reported by KASAN as use-after-free in case another<br /> structure was recently freed from the slot past the bound, but it is<br /> really an OOB read.<br /> <br /> This issue was found by syzkaller tool.<br /> <br /> Call Trace:<br /> [ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710<br /> [ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375<br /> [ 38.595158]<br /> [ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1<br /> [ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> [ 38.595304] Call Trace:<br /> [ 38.595308] <br /> [ 38.595311] dump_stack_lvl+0xa7/0xd0<br /> [ 38.595325] print_address_description.constprop.0+0x2c/0x3f0<br /> [ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710<br /> [ 38.595349] print_report+0xaa/0x250<br /> [ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710<br /> [ 38.595368] ? kasan_addr_to_slab+0x9/0x90<br /> [ 38.595378] kasan_report+0xab/0xe0<br /> [ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710<br /> [ 38.595400] __ext4_check_dir_entry+0x67e/0x710<br /> [ 38.595410] ext4_empty_dir+0x465/0x990<br /> [ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10<br /> [ 38.595432] ext4_rmdir.part.0+0x29a/0xd10<br /> [ 38.595441] ? __dquot_initialize+0x2a7/0xbf0<br /> [ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10<br /> [ 38.595464] ? __pfx___dquot_initialize+0x10/0x10<br /> [ 38.595478] ? down_write+0xdb/0x140<br /> [ 38.595487] ? __pfx_down_write+0x10/0x10<br /> [ 38.595497] ext4_rmdir+0xee/0x140<br /> [ 38.595506] vfs_rmdir+0x209/0x670<br /> [ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190<br /> [ 38.595529] do_rmdir+0x363/0x3c0<br /> [ 38.595537] ? __pfx_do_rmdir+0x10/0x10<br /> [ 38.595544] ? strncpy_from_user+0x1ff/0x2e0<br /> [ 38.595561] __x64_sys_unlinkat+0xf0/0x130<br /> [ 38.595570] do_syscall_64+0x5b/0x180<br /> [ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e