CVE-2025-22121
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() There's issue as follows: BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790 Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172 CPU: 3 PID: 15172 Comm: syz-executor.0 Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0xbe/0xfd lib/dump_stack.c:123 print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137 ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896 ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323 evict+0x39f/0x880 fs/inode.c:622 iput_final fs/inode.c:1746 [inline] iput fs/inode.c:1772 [inline] iput+0x525/0x6c0 fs/inode.c:1758 ext4_orphan_cleanup fs/ext4/super.c:3298 [inline] ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300 mount_bdev+0x355/0x410 fs/super.c:1446 legacy_get_tree+0xfe/0x220 fs/fs_context.c:611 vfs_get_tree+0x8d/0x2f0 fs/super.c:1576 do_new_mount fs/namespace.c:2983 [inline] path_mount+0x119a/0x1ad0 fs/namespace.c:3316 do_mount+0xfc/0x110 fs/namespace.c:3329 __do_sys_mount fs/namespace.c:3540 [inline] __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Memory state around the buggy address: ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Above issue happens as ext4_xattr_delete_inode() isn't check xattr is valid if xattr is in inode. To solve above issue call xattr_check_inode() check if xattr if valid in inode. In fact, we can directly verify in ext4_iget_extra_inode(), so that there is no divergent verification.
CVSS Metrics
- v3.1•HIGH•Score: 7.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Trends
Current EPSS score: 0.02%• Percentile: 6%
Techniques & Countermeasures
- CWE-125•Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.
Affected Systems
- linux•linux
≥ e50e5129f384ae282adebfb561189cdb19b81cee, < 27202452b0bc942fdc3db72a44c4dcdab96d5b56 | ≥ e50e5129f384ae282adebfb561189cdb19b81cee, < b374e9ecc92aaa7fb2ab221ee3ff5451118ab566 | ≥ e50e5129f384ae282adebfb561189cdb19b81cee, < c000a8a9b5343a5ef867df173c6349672dacbd0f | ≥ e50e5129f384ae282adebfb561189cdb19b81cee, < 3c591353956ffcace2cc74d09930774afed60619 | ≥ e50e5129f384ae282adebfb561189cdb19b81cee, < 098927a13fd918bd7c64c2de905350a1ad7b4a3a | ≥ e50e5129f384ae282adebfb561189cdb19b81cee, < 0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8 | ≥ e50e5129f384ae282adebfb561189cdb19b81cee, < 5701875f9609b000d91351eaa6bfd97fe2f157f4 | 4.13
- linux•linux_kernel
≥ 4.13, < 6.14.2
References (7)
- https://git.kernel.org/stable/c/27202452b0bc942fdc3db72a44c4dcdab96d5b56
- https://git.kernel.org/stable/c/b374e9ecc92aaa7fb2ab221ee3ff5451118ab566
- https://git.kernel.org/stable/c/c000a8a9b5343a5ef867df173c6349672dacbd0f
- https://git.kernel.org/stable/c/3c591353956ffcace2cc74d09930774afed60619
- https://git.kernel.org/stable/c/098927a13fd918bd7c64c2de905350a1ad7b4a3a
- https://git.kernel.org/stable/c/0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8
- https://git.kernel.org/stable/c/5701875f9609b000d91351eaa6bfd97fe2f157f4