Vulnerabilidad en kernel de Linux (CVE-2025-38194)
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
04/07/2025
Última modificación:
04/07/2025
Descripción
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: jffs2: comprobar que los nodos sin procesar se hayan preasignado antes de escribir el resumen Syzkaller detectó un error del kernel en jffs2_link_node_ref, causado por la inyección de un fallo en jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode no comprueba el valor de retorno de jffs2_prealloc_raw_node_refs y simplemente permite que cualquier error se propague a jffs2_sum_write_data, que eventualmente llama a jffs2_link_node_ref para vincular el resumen a un nodo asignado como se esperaba. ERROR de fs/jffs2/nodelist.c:592! invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 1 PID: 31277 Comm: syz-executor.7 Not tainted 6.1.128-syzkaller-00139-ge10f83ca10a1 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:jffs2_link_node_ref+0x570/0x690 fs/jffs2/nodelist.c:592 Call Trace: jffs2_sum_write_data fs/jffs2/summary.c:841 [inline] jffs2_sum_write_sumnode+0xd1a/0x1da0 fs/jffs2/summary.c:874 jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388 jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197 jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 jffs2_write_end+0x726/0x15d0 fs/jffs2/file.c:301 generic_perform_write+0x314/0x5d0 mm/filemap.c:3856 __generic_file_write_iter+0x2ae/0x4d0 mm/filemap.c:3973 generic_file_write_iter+0xe3/0x350 mm/filemap.c:4005 call_write_iter include/linux/fs.h:2265 [inline] do_iter_readv_writev+0x20f/0x3c0 fs/read_write.c:735 do_iter_write+0x186/0x710 fs/read_write.c:861 vfs_iter_write+0x70/0xa0 fs/read_write.c:902 iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 do_splice_from fs/splice.c:763 [inline] direct_splice_actor+0x10c/0x170 fs/splice.c:950 splice_direct_to_actor+0x337/0xa10 fs/splice.c:896 do_splice_direct+0x1a9/0x280 fs/splice.c:1002 do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 __do_sys_sendfile64 fs/read_write.c:1323 [inline] __se_sys_sendfile64 fs/read_write.c:1309 [inline] __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Fix this issue by checking return value of jffs2_prealloc_raw_node_refs before calling jffs2_sum_write_data. Solucione este problema comprobando el valor de retorno de jffs2_prealloc_raw_node_refs antes de llamar a jffs2_sum_write_data. Encontrado por el Centro de Verificación de Linux (linuxtesting.org) con Syzkaller.
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/337f80f3d546e131c7aa90b61d8cde051ae858c7
- https://git.kernel.org/stable/c/346cfb9d19ea7feb6fb57917b21c4797fb444dab
- https://git.kernel.org/stable/c/3f46644a5131a4793fc95c32a7d0a769745b06e7
- https://git.kernel.org/stable/c/4adee34098a6ee86a54bf3ec885eab620c126a6b
- https://git.kernel.org/stable/c/8ce46dc5b10b0b6f67663202a4921b0e11ad7367
- https://git.kernel.org/stable/c/c0edcdb4fc106d69a2d1a0ce4868193511c389f3
- https://git.kernel.org/stable/c/da12ef7e19048dc5714032c2db587a215852b200
- https://git.kernel.org/stable/c/ec9e6f22bce433b260ea226de127ec68042849b0