CVE-2025-39735
jfs: fix slab-out-of-bounds read in ea_get()
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds read in ea_get() During the "size_check" label in ea_get(), the code checks if the extended
attribute list (xattr) size matches ea_size. If not, it logs
"ea_get: invalid extended attribute" and calls print_hex_dump(). Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds
INT_MAX (2,147,483,647). Then ea_size is clamped: int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper
limit is treated as an int, causing an overflow above 2^31 - 1. This leads
"size" to wrap around and become negative (-184549328). The "size" is then passed to print_hex_dump() (called "len" in
print_hex_dump()), it is passed as type size_t (an unsigned
type), this is then stored inside a variable called
"int remaining", which is then assigned to "int linelen" which
is then passed to hex_dump_to_buffer(). In print_hex_dump()
the for loop, iterates through 0 to len-1, where len is
18446744073525002176, calling hex_dump_to_buffer()
on each iteration: for (i = 0; i < len; i += rowsize) { linelen = min(remaining, rowsize); remaining -= rowsize; hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, linebuf, sizeof(linebuf), ascii); ... } The expected stopping condition (i < len) is effectively broken
since len is corrupted and very large. This eventually leads to
the "ptr+i" being passed to hex_dump_to_buffer() to get closer
to the end of the actual bounds of "ptr", eventually an out of
bounds access is done in hex_dump_to_buffer() in the following
for loop: for (j = 0; j < len; j++) { if (linebuflen < lx + 2) goto overflow2; ch = ptr[j]; ... } To fix this we should validate "EALIST_SIZE(ea_buf->xattr)"
before it is utilised.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: jfs: corrección de lectura fuera de los límites de slab en ea_get(). Durante la etiqueta "size_check" en ea_get(), el código comprueba si el tamaño de la lista de atributos extendidos (xattr) coincide con ea_size. De lo contrario, registra "ea_get: atributo extendido no válido" y llama a print_hex_dump(). En este caso, EALIST_SIZE(ea_buf->xattr) devuelve 4110417968, que excede INT_MAX (2147483647). A continuación, se fija ea_size: int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); Aunque clamp_t busca limitar ea_size entre 0 y 4110417968, el límite superior se trata como un entero, lo que provoca un desbordamiento por encima de 2^31 - 1. Esto hace que "size" se repita y se vuelva negativo (-184549328). El "size" se pasa a print_hex_dump() (llamado "len" en print_hex_dump()) como tipo size_t (un tipo sin signo). Este se almacena en una variable llamada "int remaining", que se asigna a "int linelen", que a su vez se pasa a hex_dump_to_buffer(). En print_hex_dump(), el bucle for itera desde 0 hasta len-1, donde len es 18446744073525002176 y llama a hex_dump_to_buffer() en cada iteración: for (i = 0; i < len; i += rowsize) { linelen = min(remaining, rowsize); remaining -= rowsize; hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, linebuf, sizeof(linebuf), ascii); ... } La condición de detención esperada (i < len) se rompe efectivamente ya que len está dañado y es muy grande. Esto eventualmente lleva a que "ptr+i" se pase a hex_dump_to_buffer() para acercarse al final de los límites reales de "ptr", eventualmente se realiza un acceso fuera de los límites en hex_dump_to_buffer() en el siguiente bucle for: for (j = 0; j < len; j++) { if (linebuflen < lx + 2) goto overflow2; ch = ptr[j]; ... } Para solucionar esto debemos validar "EALIST_SIZE(ea_buf->xattr)" antes de utilizarlo.
In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds read in ea_get() During the "size_check" label in ea_get(), the code checks if the extended attribute list (xattr) size matches ea_size. If not, it logs "ea_get: invalid extended attribute" and calls print_hex_dump(). Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds INT_MAX (2,147,483,647). Then ea_size is clamped: int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper limit is treated as an int, causing an overflow above 2^31 - 1. This leads "size" to wrap around and become negative (-184549328). The "size" is then passed to print_hex_dump() (called "len" in print_hex_dump()), it is passed as type size_t (an unsigned type), this is then stored inside a variable called "int remaining", which is then assigned to "int linelen" which is then passed to hex_dump_to_buffer(). In print_hex_dump() the for loop, iterates through 0 to len-1, where len is 18446744073525002176, calling hex_dump_to_buffer() on each iteration: for (i = 0; i < len; i += rowsize) { linelen = min(remaining, rowsize); remaining -= rowsize; hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, linebuf, sizeof(linebuf), ascii); ... } The expected stopping condition (i < len) is effectively broken since len is corrupted and very large. This eventually leads to the "ptr+i" being passed to hex_dump_to_buffer() to get closer to the end of the actual bounds of "ptr", eventually an out of bounds access is done in hex_dump_to_buffer() in the following for loop: for (j = 0; j < len; j++) { if (linebuflen < lx + 2) goto overflow2; ch = ptr[j]; ... } To fix this we should validate "EALIST_SIZE(ea_buf->xattr)" before it is utilised.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2025-04-16 CVE Reserved
- 2025-04-18 CVE Published
- 2025-05-04 CVE Updated
- 2025-05-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (18)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/6e39b681d1eb16f408493bf5023788b57f68998c | Vuln. Introduced | |
| https://git.kernel.org/stable/c/bbf3f1fd8a0ac7df1db36a9b9e923041a14369f2 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/27a93c45e16ac25a0e2b5e5668e2d1beca56a478 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/9c356fc32a4480a2c0e537a05f2a8617633ddad0 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/9353cdf28d4c5c0ff19c5df7fbf81ea774de43a4 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/8c505ebeed8045b488b2e60b516c752b851f8437 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/d9f9d96136cba8fedd647d2c024342ce090133c2 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/4ea25fa8747fb8b1e5a11d87b852023ecf7ae420 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/676a787048aafd4d1b38a522b05a9cc77e1b0a33 | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.4.287 < 5.4.292 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.287 < 5.4.292" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.10.231 < 5.10.236 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.231 < 5.10.236" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15.174 < 5.15.180 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.174 < 5.15.180" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.1.120 < 6.1.134 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.120 < 6.1.134" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.6.64 < 6.6.87 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.64 < 6.6.87" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.12.2 < 6.12.23 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.12.2 < 6.12.23" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.13 < 6.13.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.13 < 6.13.11" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.13 < 6.14.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.13 < 6.14.2" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.13 < 6.15-rc1 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.13 < 6.15-rc1" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 4.19.325 Search vendor "Linux" for product "Linux Kernel" and version "4.19.325" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.11.11 Search vendor "Linux" for product "Linux Kernel" and version "6.11.11" | en |
Affected
| ||||||