CVE-2025-38627
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic
The decompress_io_ctx may be released asynchronously after I/O completion. If this file is deleted immediately after read, and the kworker of processing post_read_wq has not been executed yet due to high workloads, It is possible that the inode(f2fs_inode_info) is evicted and freed before it is used f2fs_free_dic.
The UAF case as below:
Thread A Thread B
- f2fs_decompress_end_io
- f2fs_put_dic
- queue_work
add free_dic work to post_read_wq
- do_unlink
- iput
- evict
- call_rcu
This file is deleted after read.
Thread C kworker to process post_read_wq
- rcu_do_batch
- f2fs_free_inode
- kmem_cache_free
inode is freed by rcu
- process_scheduled_works
- f2fs_late_free_dic
- f2fs_free_dic
- f2fs_release_decomp_mem
read (dic->inode)->i_compress_algorithm
This patch store compress_algorithm and sbi in dic to avoid inode UAF.
In addition, the previous solution is deprecated in [1] may cause system hang. [1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | bff139b49d9f70c1ac5384aac94554846aa834de < 74cbeeca4f16823ba58c882e1d8b836c0e39c93d | affected |
| Linux | Linux | bff139b49d9f70c1ac5384aac94554846aa834de < 5d604d40cd3232b09cb339941ef958e49283ed0a | affected |
| Linux | Linux | bff139b49d9f70c1ac5384aac94554846aa834de < cc81768212cdc509e5a986274db7bc24d18cde19 | affected |
| Linux | Linux | bff139b49d9f70c1ac5384aac94554846aa834de < 8fae5b6addd5f6895e03797b56e3c7b9f9cd15c9 | affected |
| Linux | Linux | bff139b49d9f70c1ac5384aac94554846aa834de < 39868685c2a94a70762bc6d77dc81d781d05bff5 | affected |
| Linux | Linux | 6.0 | affected |
| Linux | Linux | 0 < 6.0 | unaffected |
| Linux | Linux | 6.1.175 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.118 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.78 <= 6.12.* | unaffected |
| Linux | Linux | 6.16.1 <= 6.16.* | unaffected |
| Linux | Linux | 6.17 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/74cbeeca4f16823ba58c882e1d8b836c0e39c93d
- https://git.kernel.org/stable/c/5d604d40cd3232b09cb339941ef958e49283ed0a
- https://git.kernel.org/stable/c/cc81768212cdc509e5a986274db7bc24d18cde19
- https://git.kernel.org/stable/c/8fae5b6addd5f6895e03797b56e3c7b9f9cd15c9
- https://git.kernel.org/stable/c/39868685c2a94a70762bc6d77dc81d781d05bff5
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.