CVE-2025-37785 (GCVE-0-2025-37785)

Vulnerability from cvelistv5 – Published: 2025-04-18 07:01 – Updated: 2026-05-11 21:15
VLAI
Title
ext4: fix OOB read when checking dotdot dir
Summary
In the Linux kernel, the following vulnerability has been resolved: ext4: fix OOB read when checking dotdot dir Mounting a corrupted filesystem with directory which contains '.' dir entry with rec_len == block size results in out-of-bounds read (later on, when the corrupted directory is removed). ext4_empty_dir() assumes every ext4 directory contains at least '.' and '..' as directory entries in the first data block. It first loads the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry() and then uses its rec_len member to compute the location of '..' dir entry (in ext4_next_entry). It assumes the '..' dir entry fits into the same data block. If the rec_len of '.' is precisely one block (4KB), it slips through the sanity checks (it is considered the last directory entry in the data block) and leaves "struct ext4_dir_entry_2 *de" point exactly past the memory slot allocated to the data block. The following call to ext4_check_dir_entry() on new value of de then dereferences this pointer which results in out-of-bounds mem access. Fix this by extending __ext4_check_dir_entry() to check for '.' dir entries that reach the end of data block. Make sure to ignore the phony dir entries for checksum (by checking name_len for non-zero). Note: This is reported by KASAN as use-after-free in case another structure was recently freed from the slot past the bound, but it is really an OOB read. This issue was found by syzkaller tool. Call Trace: [ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710 [ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375 [ 38.595158] [ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1 [ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 38.595304] Call Trace: [ 38.595308] <TASK> [ 38.595311] dump_stack_lvl+0xa7/0xd0 [ 38.595325] print_address_description.constprop.0+0x2c/0x3f0 [ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595349] print_report+0xaa/0x250 [ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595368] ? kasan_addr_to_slab+0x9/0x90 [ 38.595378] kasan_report+0xab/0xe0 [ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595400] __ext4_check_dir_entry+0x67e/0x710 [ 38.595410] ext4_empty_dir+0x465/0x990 [ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10 [ 38.595432] ext4_rmdir.part.0+0x29a/0xd10 [ 38.595441] ? __dquot_initialize+0x2a7/0xbf0 [ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10 [ 38.595464] ? __pfx___dquot_initialize+0x10/0x10 [ 38.595478] ? down_write+0xdb/0x140 [ 38.595487] ? __pfx_down_write+0x10/0x10 [ 38.595497] ext4_rmdir+0xee/0x140 [ 38.595506] vfs_rmdir+0x209/0x670 [ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190 [ 38.595529] do_rmdir+0x363/0x3c0 [ 38.595537] ? __pfx_do_rmdir+0x10/0x10 [ 38.595544] ? strncpy_from_user+0x1ff/0x2e0 [ 38.595561] __x64_sys_unlinkat+0xf0/0x130 [ 38.595570] do_syscall_64+0x5b/0x180 [ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e
Severity
7.1 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < 14da7dbecb430e35b5889da8dae7bef33173b351 (git)
Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < e47f472a664d70a3d104a6c2a035cdff55a719b4 (git)
Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < b7531a4f99c3887439d778afaf418d1a01a5f01b (git)
Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < 89503e5eae64637d0fa2218912b54660effe7d93 (git)
Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < 52a5509ab19a5d3afe301165d9b5787bba34d842 (git)
Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < b47584c556444cf7acb66b26a62cbc348eb92b78 (git)
Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < ac28c5684c1cdab650a7e5065b19e91577d37a4b (git)
Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < 53bc45da8d8da92ec07877f5922b130562eb4b00 (git)
Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < d5e206778e96e8667d3bde695ad372c296dc9353 (git)
Create a notification for this product.
Linux Linux Affected: 2.6.19
Unaffected: 0 , < 2.6.19 (semver)
Unaffected: 5.4.293 , ≤ 5.4.* (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.134 , ≤ 6.1.* (semver)
Unaffected: 6.6.87 , ≤ 6.6.* (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:55:07.824Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "14da7dbecb430e35b5889da8dae7bef33173b351",
              "status": "affected",
              "version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
              "versionType": "git"
            },
            {
              "lessThan": "e47f472a664d70a3d104a6c2a035cdff55a719b4",
              "status": "affected",
              "version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
              "versionType": "git"
            },
            {
              "lessThan": "b7531a4f99c3887439d778afaf418d1a01a5f01b",
              "status": "affected",
              "version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
              "versionType": "git"
            },
            {
              "lessThan": "89503e5eae64637d0fa2218912b54660effe7d93",
              "status": "affected",
              "version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
              "versionType": "git"
            },
            {
              "lessThan": "52a5509ab19a5d3afe301165d9b5787bba34d842",
              "status": "affected",
              "version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
              "versionType": "git"
            },
            {
              "lessThan": "b47584c556444cf7acb66b26a62cbc348eb92b78",
              "status": "affected",
              "version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
              "versionType": "git"
            },
            {
              "lessThan": "ac28c5684c1cdab650a7e5065b19e91577d37a4b",
              "status": "affected",
              "version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
              "versionType": "git"
            },
            {
              "lessThan": "53bc45da8d8da92ec07877f5922b130562eb4b00",
              "status": "affected",
              "version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
              "versionType": "git"
            },
            {
              "lessThan": "d5e206778e96e8667d3bde695ad372c296dc9353",
              "status": "affected",
              "version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.19"
            },
            {
              "lessThan": "2.6.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.134",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix OOB read when checking dotdot dir\n\nMounting a corrupted filesystem with directory which contains \u0027.\u0027 dir\nentry with rec_len == block size results in out-of-bounds read (later\non, when the corrupted directory is removed).\n\next4_empty_dir() assumes every ext4 directory contains at least \u0027.\u0027\nand \u0027..\u0027 as directory entries in the first data block. It first loads\nthe \u0027.\u0027 dir entry, performs sanity checks by calling ext4_check_dir_entry()\nand then uses its rec_len member to compute the location of \u0027..\u0027 dir\nentry (in ext4_next_entry). It assumes the \u0027..\u0027 dir entry fits into the\nsame data block.\n\nIf the rec_len of \u0027.\u0027 is precisely one block (4KB), it slips through the\nsanity checks (it is considered the last directory entry in the data\nblock) and leaves \"struct ext4_dir_entry_2 *de\" point exactly past the\nmemory slot allocated to the data block. The following call to\next4_check_dir_entry() on new value of de then dereferences this pointer\nwhich results in out-of-bounds mem access.\n\nFix this by extending __ext4_check_dir_entry() to check for \u0027.\u0027 dir\nentries that reach the end of data block. Make sure to ignore the phony\ndir entries for checksum (by checking name_len for non-zero).\n\nNote: This is reported by KASAN as use-after-free in case another\nstructure was recently freed from the slot past the bound, but it is\nreally an OOB read.\n\nThis issue was found by syzkaller tool.\n\nCall Trace:\n[   38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710\n[   38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375\n[   38.595158]\n[   38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1\n[   38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[   38.595304] Call Trace:\n[   38.595308]  \u003cTASK\u003e\n[   38.595311]  dump_stack_lvl+0xa7/0xd0\n[   38.595325]  print_address_description.constprop.0+0x2c/0x3f0\n[   38.595339]  ? __ext4_check_dir_entry+0x67e/0x710\n[   38.595349]  print_report+0xaa/0x250\n[   38.595359]  ? __ext4_check_dir_entry+0x67e/0x710\n[   38.595368]  ? kasan_addr_to_slab+0x9/0x90\n[   38.595378]  kasan_report+0xab/0xe0\n[   38.595389]  ? __ext4_check_dir_entry+0x67e/0x710\n[   38.595400]  __ext4_check_dir_entry+0x67e/0x710\n[   38.595410]  ext4_empty_dir+0x465/0x990\n[   38.595421]  ? __pfx_ext4_empty_dir+0x10/0x10\n[   38.595432]  ext4_rmdir.part.0+0x29a/0xd10\n[   38.595441]  ? __dquot_initialize+0x2a7/0xbf0\n[   38.595455]  ? __pfx_ext4_rmdir.part.0+0x10/0x10\n[   38.595464]  ? __pfx___dquot_initialize+0x10/0x10\n[   38.595478]  ? down_write+0xdb/0x140\n[   38.595487]  ? __pfx_down_write+0x10/0x10\n[   38.595497]  ext4_rmdir+0xee/0x140\n[   38.595506]  vfs_rmdir+0x209/0x670\n[   38.595517]  ? lookup_one_qstr_excl+0x3b/0x190\n[   38.595529]  do_rmdir+0x363/0x3c0\n[   38.595537]  ? __pfx_do_rmdir+0x10/0x10\n[   38.595544]  ? strncpy_from_user+0x1ff/0x2e0\n[   38.595561]  __x64_sys_unlinkat+0xf0/0x130\n[   38.595570]  do_syscall_64+0x5b/0x180\n[   38.595583]  entry_SYSCALL_64_after_hwframe+0x76/0x7e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:15:07.857Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/14da7dbecb430e35b5889da8dae7bef33173b351"
        },
        {
          "url": "https://git.kernel.org/stable/c/e47f472a664d70a3d104a6c2a035cdff55a719b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7531a4f99c3887439d778afaf418d1a01a5f01b"
        },
        {
          "url": "https://git.kernel.org/stable/c/89503e5eae64637d0fa2218912b54660effe7d93"
        },
        {
          "url": "https://git.kernel.org/stable/c/52a5509ab19a5d3afe301165d9b5787bba34d842"
        },
        {
          "url": "https://git.kernel.org/stable/c/b47584c556444cf7acb66b26a62cbc348eb92b78"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac28c5684c1cdab650a7e5065b19e91577d37a4b"
        },
        {
          "url": "https://git.kernel.org/stable/c/53bc45da8d8da92ec07877f5922b130562eb4b00"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5e206778e96e8667d3bde695ad372c296dc9353"
        }
      ],
      "title": "ext4: fix OOB read when checking dotdot dir",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37785",
    "datePublished": "2025-04-18T07:01:27.393Z",
    "dateReserved": "2025-04-16T04:51:23.940Z",
    "dateUpdated": "2026-05-11T21:15:07.857Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-37785",
      "date": "2026-06-30",
      "epss": "0.00226",
      "percentile": "0.13253"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-37785\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-18T07:15:42.693\",\"lastModified\":\"2026-06-17T09:15:26.103\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: fix OOB read when checking dotdot dir\\n\\nMounting a corrupted filesystem with directory which contains \u0027.\u0027 dir\\nentry with rec_len == block size results in out-of-bounds read (later\\non, when the corrupted directory is removed).\\n\\next4_empty_dir() assumes every ext4 directory contains at least \u0027.\u0027\\nand \u0027..\u0027 as directory entries in the first data block. It first loads\\nthe \u0027.\u0027 dir entry, performs sanity checks by calling ext4_check_dir_entry()\\nand then uses its rec_len member to compute the location of \u0027..\u0027 dir\\nentry (in ext4_next_entry). It assumes the \u0027..\u0027 dir entry fits into the\\nsame data block.\\n\\nIf the rec_len of \u0027.\u0027 is precisely one block (4KB), it slips through the\\nsanity checks (it is considered the last directory entry in the data\\nblock) and leaves \\\"struct ext4_dir_entry_2 *de\\\" point exactly past the\\nmemory slot allocated to the data block. The following call to\\next4_check_dir_entry() on new value of de then dereferences this pointer\\nwhich results in out-of-bounds mem access.\\n\\nFix this by extending __ext4_check_dir_entry() to check for \u0027.\u0027 dir\\nentries that reach the end of data block. Make sure to ignore the phony\\ndir entries for checksum (by checking name_len for non-zero).\\n\\nNote: This is reported by KASAN as use-after-free in case another\\nstructure was recently freed from the slot past the bound, but it is\\nreally an OOB read.\\n\\nThis issue was found by syzkaller tool.\\n\\nCall Trace:\\n[   38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710\\n[   38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375\\n[   38.595158]\\n[   38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1\\n[   38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\\n[   38.595304] Call Trace:\\n[   38.595308]  \u003cTASK\u003e\\n[   38.595311]  dump_stack_lvl+0xa7/0xd0\\n[   38.595325]  print_address_description.constprop.0+0x2c/0x3f0\\n[   38.595339]  ? __ext4_check_dir_entry+0x67e/0x710\\n[   38.595349]  print_report+0xaa/0x250\\n[   38.595359]  ? __ext4_check_dir_entry+0x67e/0x710\\n[   38.595368]  ? kasan_addr_to_slab+0x9/0x90\\n[   38.595378]  kasan_report+0xab/0xe0\\n[   38.595389]  ? __ext4_check_dir_entry+0x67e/0x710\\n[   38.595400]  __ext4_check_dir_entry+0x67e/0x710\\n[   38.595410]  ext4_empty_dir+0x465/0x990\\n[   38.595421]  ? __pfx_ext4_empty_dir+0x10/0x10\\n[   38.595432]  ext4_rmdir.part.0+0x29a/0xd10\\n[   38.595441]  ? __dquot_initialize+0x2a7/0xbf0\\n[   38.595455]  ? __pfx_ext4_rmdir.part.0+0x10/0x10\\n[   38.595464]  ? __pfx___dquot_initialize+0x10/0x10\\n[   38.595478]  ? down_write+0xdb/0x140\\n[   38.595487]  ? __pfx_down_write+0x10/0x10\\n[   38.595497]  ext4_rmdir+0xee/0x140\\n[   38.595506]  vfs_rmdir+0x209/0x670\\n[   38.595517]  ? lookup_one_qstr_excl+0x3b/0x190\\n[   38.595529]  do_rmdir+0x363/0x3c0\\n[   38.595537]  ? __pfx_do_rmdir+0x10/0x10\\n[   38.595544]  ? strncpy_from_user+0x1ff/0x2e0\\n[   38.595561]  __x64_sys_unlinkat+0xf0/0x130\\n[   38.595570]  do_syscall_64+0x5b/0x180\\n[   38.595583]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ext4: correcci\u00f3n de lectura OOB al comprobar el directorio dotdot Montar un sistema de archivos da\u00f1ado con un directorio que contiene una entrada de directorio \u0027.\u0027 con rec_len == tama\u00f1o de bloque da como resultado una lectura fuera de los l\u00edmites (m\u00e1s adelante, cuando se elimina el directorio da\u00f1ado). ext4_empty_dir() asume que cada directorio ext4 contiene al menos \u0027.\u0027 y \u0027..\u0027 como entradas de directorio en el primer bloque de datos. Primero carga la entrada de directorio \u0027.\u0027, realiza comprobaciones de cordura llamando a ext4_check_dir_entry() y luego usa su miembro rec_len para calcular la ubicaci\u00f3n de la entrada de directorio \u0027..\u0027 (en ext4_next_entry). Asume que la entrada de directorio \u0027..\u0027 encaja en el mismo bloque de datos. Si el rec_len de \u0027.\u0027 Si es exactamente un bloque (4 KB), no cumple con las comprobaciones de seguridad (se considera la \u00faltima entrada de directorio del bloque de datos) y deja el puntero \\\"struct ext4_dir_entry_2 *de\\\" justo despu\u00e9s de la ranura de memoria asignada al bloque de datos. La siguiente llamada a ext4_check_dir_entry() con el nuevo valor de de desreferencia este puntero, lo que resulta en un acceso a la memoria fuera de los l\u00edmites. Para solucionar esto, extienda __ext4_check_dir_entry() para verificar las entradas de directorio \\\".\\\" que llegan al final del bloque de datos. Aseg\u00farese de ignorar las entradas de directorio falsas para la suma de comprobaci\u00f3n (verificando name_len para ver si es distinto de cero). Nota: KASAN informa que esto es un use-after-free en caso de que otra estructura se haya liberado recientemente de la ranura m\u00e1s all\u00e1 del l\u00edmite, pero en realidad es una lectura fuera de banda (OOB). Este problema fue detectado por la herramienta syzkaller. Rastreo de llamadas: [38.594108] ERROR: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710 [ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375 [ 38.595158] [ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1 [ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 38.595304] Call Trace: [ 38.595308]  [ 38.595311] dump_stack_lvl+0xa7/0xd0 [ 38.595325] print_address_description.constprop.0+0x2c/0x3f0 [ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595349] print_report+0xaa/0x250 [ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595368] ? kasan_addr_to_slab+0x9/0x90 [ 38.595378] kasan_report+0xab/0xe0 [ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595400] __ext4_check_dir_entry+0x67e/0x710 [ 38.595410] ext4_empty_dir+0x465/0x990 [ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10 [ 38.595432] ext4_rmdir.part.0+0x29a/0xd10 [ 38.595441] ? __dquot_initialize+0x2a7/0xbf0 [ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10 [ 38.595464] ? __pfx___dquot_initialize+0x10/0x10 [ 38.595478] ? down_write+0xdb/0x140 [ 38.595487] ? __pfx_down_write+0x10/0x10 [ 38.595497] ext4_rmdir+0xee/0x140 [ 38.595506] vfs_rmdir+0x209/0x670 [ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190 [ 38.595529] do_rmdir+0x363/0x3c0 [ 38.595537] ? __pfx_do_rmdir+0x10/0x10 [ 38.595544] ? strncpy_from_user+0x1ff/0x2e0 [ 38.595561] __x64_sys_unlinkat+0xf0/0x130 [ 38.595570] do_syscall_64+0x5b/0x180 [ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"fs/ext4/dir.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"ac27a0ec112a089f1a5102bc8dffc79c8c815571\",\"lessThan\":\"14da7dbecb430e35b5889da8dae7bef33173b351\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"ac27a0ec112a089f1a5102bc8dffc79c8c815571\",\"lessThan\":\"e47f472a664d70a3d104a6c2a035cdff55a719b4\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"ac27a0ec112a089f1a5102bc8dffc79c8c815571\",\"lessThan\":\"b7531a4f99c3887439d778afaf418d1a01a5f01b\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"ac27a0ec112a089f1a5102bc8dffc79c8c815571\",\"lessThan\":\"89503e5eae64637d0fa2218912b54660effe7d93\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"ac27a0ec112a089f1a5102bc8dffc79c8c815571\",\"lessThan\":\"52a5509ab19a5d3afe301165d9b5787bba34d842\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"ac27a0ec112a089f1a5102bc8dffc79c8c815571\",\"lessThan\":\"b47584c556444cf7acb66b26a62cbc348eb92b78\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"ac27a0ec112a089f1a5102bc8dffc79c8c815571\",\"lessThan\":\"ac28c5684c1cdab650a7e5065b19e91577d37a4b\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"ac27a0ec112a089f1a5102bc8dffc79c8c815571\",\"lessThan\":\"53bc45da8d8da92ec07877f5922b130562eb4b00\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"ac27a0ec112a089f1a5102bc8dffc79c8c815571\",\"lessThan\":\"d5e206778e96e8667d3bde695ad372c296dc9353\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"fs/ext4/dir.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"2.6.19\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"2.6.19\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.4.293\",\"lessThanOrEqual\":\"5.4.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.10.236\",\"lessThanOrEqual\":\"5.10.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.15.180\",\"lessThanOrEqual\":\"5.15.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.1.134\",\"lessThanOrEqual\":\"6.1.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.87\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.12.23\",\"lessThanOrEqual\":\"6.12.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.13.11\",\"lessThanOrEqual\":\"6.13.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.14.2\",\"lessThanOrEqual\":\"6.14.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.15\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.19\",\"versionEndExcluding\":\"5.10.236\",\"matchCriteriaId\":\"5093EDFD-21CC-4898-9E34-0C31FADEF44A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.180\",\"matchCriteriaId\":\"D19801C8-3D18-405D-9989-E6C9B30255FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.134\",\"matchCriteriaId\":\"3985DEC3-0437-4177-BC42-314AB575285A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.87\",\"matchCriteriaId\":\"EFF24260-49B1-4251-9477-C564CFDAD25B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.23\",\"matchCriteriaId\":\"26CAB76D-F00F-43CE-BEAD-7097F8FB1D6C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.11\",\"matchCriteriaId\":\"E7E864B0-8C00-4679-BA55-659B4C9C3AD3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.14\",\"versionEndExcluding\":\"6.14.2\",\"matchCriteriaId\":\"FADAE5D8-4808-442C-B218-77B2CE8780A0\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/14da7dbecb430e35b5889da8dae7bef33173b351\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/52a5509ab19a5d3afe301165d9b5787bba34d842\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/53bc45da8d8da92ec07877f5922b130562eb4b00\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/89503e5eae64637d0fa2218912b54660effe7d93\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ac28c5684c1cdab650a7e5065b19e91577d37a4b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b47584c556444cf7acb66b26a62cbc348eb92b78\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b7531a4f99c3887439d778afaf418d1a01a5f01b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d5e206778e96e8667d3bde695ad372c296dc9353\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e47f472a664d70a3d104a6c2a035cdff55a719b4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.