CVE-2025-68251

Summary

In the Linux kernel, the following vulnerability has been resolved:

erofs: avoid infinite loops due to corrupted subpage compact indexes

Robert reported an infinite loop observed by two crafted images.

The root cause is that clusterofs can be larger than lclustersize for !NONHEAD lclusters in corrupted subpage compact indexes, e.g.:

blocksize = lclustersize = 512 lcn = 6 clusterofs = 515

Move the corresponding check for full compress indexes to z_erofs_load_lcluster_from_disk() to also cover subpage compact compress indexes.

It also fixes the position of m->type >= Z_EROFS_LCLUSTER_TYPE_MAX check, since it should be placed right after z_erofs_load_{compact,full}_lcluster().

Affected Software

VendorProductVersion RangeStatus
LinuxLinux8d2517aaeea3ab8651bb517bca8f3c8664d318ea < dbfac1b85d0753996ddfef636934d431b588dd1faffected
LinuxLinux8d2517aaeea3ab8651bb517bca8f3c8664d318ea < 8675447a8794983f2b7e694b378112772c17635eaffected
LinuxLinux8d2517aaeea3ab8651bb517bca8f3c8664d318ea < e13d315ae077bb7c3c6027cc292401bc0f4ec683affected
LinuxLinux3f691aa676f29586e83e6c032713554a290418c3affected
LinuxLinux22438a34d383ec2789eaf450728e38abc53051f8affected
LinuxLinux6.6.16 < 6.7affected
LinuxLinux6.7.4 < 6.8affected
LinuxLinux6.8affected
LinuxLinux0 < 6.8unaffected
LinuxLinux6.12.91 <= 6.12.*unaffected
LinuxLinux6.17.6 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References