CVE-2025-38269
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: exit after state insertion failure at btrfs_convert_extent_bit()
If insert_state() state failed it returns an error pointer and we call extent_io_tree_panic() which will trigger a BUG() call. However if CONFIG_BUG is disabled, which is an uncommon and exotic scenario, then we fallthrough and call cache_state() which will dereference the error pointer, resulting in an invalid memory access.
So jump to the 'out' label after calling extent_io_tree_panic(), it also makes the code more clear besides dealing with the exotic scenario where CONFIG_BUG is disabled.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | c91ea4bfa6dda549295ea7c15dfc990094d1fcd3 < 58c50f45e1821a04d61b62514f9bd34afe67c622 | affected |
| Linux | Linux | c91ea4bfa6dda549295ea7c15dfc990094d1fcd3 < 8d9d32088e304e2bc444a3087cab0bbbd9951866 | affected |
| Linux | Linux | c91ea4bfa6dda549295ea7c15dfc990094d1fcd3 < 3bf179e36da917c5d9bec71c714573ed1649b7c1 | affected |
| Linux | Linux | 6.7 | affected |
| Linux | Linux | 0 < 6.7 | unaffected |
| Linux | Linux | 6.12.34 <= 6.12.* | unaffected |
| Linux | Linux | 6.15.3 <= 6.15.* | unaffected |
| Linux | Linux | 6.16 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/58c50f45e1821a04d61b62514f9bd34afe67c622
- https://git.kernel.org/stable/c/8d9d32088e304e2bc444a3087cab0bbbd9951866
- https://git.kernel.org/stable/c/3bf179e36da917c5d9bec71c714573ed1649b7c1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.