CVE-2025-38677

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid out-of-boundary access in dnode page<br /> <br /> As Jiaming Zhang reported:<br /> <br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0x17e/0x800 mm/kasan/report.c:480<br /> kasan_report+0x147/0x180 mm/kasan/report.c:593<br /> data_blkaddr fs/f2fs/f2fs.h:3053 [inline]<br /> f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline]<br /> f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855<br /> f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195<br /> prepare_write_begin fs/f2fs/data.c:3395 [inline]<br /> f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594<br /> generic_perform_write+0x2c7/0x910 mm/filemap.c:4112<br /> f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline]<br /> f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216<br /> new_sync_write fs/read_write.c:593 [inline]<br /> vfs_write+0x546/0xa90 fs/read_write.c:686<br /> ksys_write+0x149/0x250 fs/read_write.c:738<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> The root cause is in the corrupted image, there is a dnode has the same<br /> node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to<br /> access block address in dnode at offset 934, however it parses the dnode<br /> as inode node, so that get_dnode_addr() returns 360, then it tries to<br /> access page address from 360 + 934 * 4 = 4096 w/ 4 bytes.<br /> <br /> To fix this issue, let&amp;#39;s add sanity check for node id of all direct nodes<br /> during f2fs_get_dnode_of_data().