CVE-2025-39735

Summary

In the Linux kernel, the following vulnerability has been resolved:

jfs: fix slab-out-of-bounds read in ea_get()

During the "size_check" label in ea_get(), the code checks if the extended attribute list (xattr) size matches ea_size. If not, it logs "ea_get: invalid extended attribute" and calls print_hex_dump().

Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds INT_MAX (2,147,483,647). Then ea_size is clamped:

int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));

Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper limit is treated as an int, causing an overflow above 2^31 - 1. This leads "size" to wrap around and become negative (-184549328).

The "size" is then passed to print_hex_dump() (called "len" in print_hex_dump()), it is passed as type size_t (an unsigned type), this is then stored inside a variable called "int remaining", which is then assigned to "int linelen" which is then passed to hex_dump_to_buffer(). In print_hex_dump() the for loop, iterates through 0 to len-1, where len is 18446744073525002176, calling hex_dump_to_buffer() on each iteration:

for (i = 0; i < len; i += rowsize) {
	linelen = min(remaining, rowsize);
	remaining -= rowsize;

	hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,
			   linebuf, sizeof(linebuf), ascii);

	...
}

The expected stopping condition (i < len) is effectively broken since len is corrupted and very large. This eventually leads to the "ptr+i" being passed to hex_dump_to_buffer() to get closer to the end of the actual bounds of "ptr", eventually an out of bounds access is done in hex_dump_to_buffer() in the following for loop:

for (j = 0; j &lt; len; j++) {
		if (linebuflen &lt; lx + 2)
			goto overflow2;
		ch = ptr[j];
	...
}

To fix this we should validate "EALIST_SIZE(ea_buf->xattr)" before it is utilised.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux6e39b681d1eb16f408493bf5023788b57f68998c < 3d6fd5b9c6acbc005e53d0211c7381f566babec1affected
LinuxLinuxbbf3f1fd8a0ac7df1db36a9b9e923041a14369f2 < 50afcee7011155933d8d5e8832f52eeee018cfd3affected
LinuxLinux27a93c45e16ac25a0e2b5e5668e2d1beca56a478 < 78c9cbde8880ec02d864c166bcb4fe989ce1d95faffected
LinuxLinux9c356fc32a4480a2c0e537a05f2a8617633ddad0 < 46e2c031aa59ea65128991cbca474bd5c0c2ecdbaffected
LinuxLinux9353cdf28d4c5c0ff19c5df7fbf81ea774de43a4 < a8c31808925b11393a6601f534bb63bac5366babaffected
LinuxLinux8c505ebeed8045b488b2e60b516c752b851f8437 < 0beddc2a3f9b9cf7d8887973041e36c2d0fa3652affected
LinuxLinuxd9f9d96136cba8fedd647d2c024342ce090133c2 < 16d3d36436492aa248b2d8045e75585ebcc2f34daffected
LinuxLinuxd9f9d96136cba8fedd647d2c024342ce090133c2 < 5263822558a8a7c0d0248d5679c2dcf4d5cda61faffected
LinuxLinuxd9f9d96136cba8fedd647d2c024342ce090133c2 < fdf480da5837c23b146c4743c18de97202fcab37affected
LinuxLinux4ea25fa8747fb8b1e5a11d87b852023ecf7ae420affected
LinuxLinux676a787048aafd4d1b38a522b05a9cc77e1b0a33affected
LinuxLinux5.4.287 < 5.4.292affected
LinuxLinux5.10.231 < 5.10.236affected
LinuxLinux5.15.174 < 5.15.180affected
LinuxLinux6.1.120 < 6.1.134affected
LinuxLinux6.6.64 < 6.6.87affected
LinuxLinux6.12.2 < 6.12.23affected
LinuxLinux4.19.325 < 4.20affected
LinuxLinux6.11.11 < 6.12affected
LinuxLinux6.13affected
LinuxLinux0 < 6.13unaffected
LinuxLinux5.4.292 <= 5.4.*unaffected
LinuxLinux5.10.236 <= 5.10.*unaffected
LinuxLinux5.15.180 <= 5.15.*unaffected
LinuxLinux6.1.134 <= 6.1.*unaffected
LinuxLinux6.6.87 <= 6.6.*unaffected
LinuxLinux6.12.23 <= 6.12.*unaffected
LinuxLinux6.13.11 <= 6.13.*unaffected
LinuxLinux6.14.2 <= 6.14.*unaffected
LinuxLinux6.15 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References