{"uuid": "245432c4-ed7b-408d-b064-99a4de8faf3d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-37742", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/14275", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-37742\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix uninit-value access of imap allocated in the diMount() function\n\nsyzbot reports that hex_dump_to_buffer is using uninit-value:\n\n=====================================================\nBUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171\nhex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171\nprint_hex_dump+0x13d/0x3e0 lib/hexdump.c:276\ndiFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876\njfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156\nevict+0x723/0xd10 fs/inode.c:796\niput_final fs/inode.c:1946 [inline]\niput+0x97b/0xdb0 fs/inode.c:1972\ntxUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367\ntxLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\njfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733\nkthread+0x6b9/0xef0 kernel/kthread.c:464\nret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nUninit was created at:\nslab_post_alloc_hook mm/slub.c:4121 [inline]\nslab_alloc_node mm/slub.c:4164 [inline]\n__kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320\nkmalloc_noprof include/linux/slab.h:901 [inline]\ndiMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105\njfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176\njfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523\nget_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636\nget_tree_bdev+0x37/0x50 fs/super.c:1659\njfs_get_tree+0x34/0x40 fs/jfs/super.c:635\nvfs_get_tree+0xb1/0x5a0 fs/super.c:1814\ndo_new_mount+0x71f/0x15e0 fs/namespace.c:3560\npath_mount+0x742/0x1f10 fs/namespace.c:3887\ndo_mount fs/namespace.c:3900 [inline]\n__do_sys_mount fs/namespace.c:4111 [inline]\n__se_sys_mount+0x71f/0x800 fs/namespace.c:4088\n__x64_sys_mount+0xe4/0x150 fs/namespace.c:4088\nx64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\n=====================================================\n\nThe reason is that imap is not properly initialized after memory\nallocation. It will cause the snprintf() function to write uninitialized\ndata into linebuf within hex_dump_to_buffer().\n\nFix this by using kzalloc instead of kmalloc to clear its content at the\nbeginning in diMount().\n\ud83d\udccf Published: 2025-05-01T12:55:50.603Z\n\ud83d\udccf Modified: 2025-05-01T12:55:50.603Z\n\ud83d\udd17 References:\n1. https://git.kernel.org/stable/c/cab1852368dd74d629ee02abdbc559218ca64dde\n2. https://git.kernel.org/stable/c/067347e00a3a7d04afed93f080c6c131e5dd15ee\n3. https://git.kernel.org/stable/c/63148ce4904faa668daffdd1d3c1199ae315ef2c\n4. https://git.kernel.org/stable/c/7057f3aab47629d38e54eae83505813cf0da1e4b\n5. https://git.kernel.org/stable/c/d0d7eca253ccd0619b3d2b683ffe32218ebca9ac\n6. https://git.kernel.org/stable/c/9629d7d66c621671d9a47afe27ca9336bfc8a9ea", "creation_timestamp": "2025-05-01T13:14:48.000000Z"}