CVE-2025-37931

{"id": "CVE-2025-37931", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-05-20T16:15:29.713", "references": [{"url": "https://git.kernel.org/stable/c/396f4002710030ea1cfd4c789ebaf0a6969ab34f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5111b148360f50cac9abbae8fca44cc0ac4bf9bf", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/977849e8acd2466ac3cb49e04a3ecc73837f6b90", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b80db09b614cb7edec5bada1bc7c7b0eb3b453ea", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e08e49d986f82c30f42ad0ed43ebbede1e1e3739", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: adjust subpage bit start based on sectorsize\n\nWhen running machines with 64k page size and a 16k nodesize we started\nseeing tree log corruption in production. This turned out to be because\nwe were not writing out dirty blocks sometimes, so this in fact affects\nall metadata writes.\n\nWhen writing out a subpage EB we scan the subpage bitmap for a dirty\nrange. If the range isn't dirty we do\n\n\tbit_start++;\n\nto move onto the next bit. The problem is the bitmap is based on the\nnumber of sectors that an EB has. So in this case, we have a 64k\npagesize, 16k nodesize, but a 4k sectorsize. This means our bitmap is 4\nbits for every node. With a 64k page size we end up with 4 nodes per\npage.\n\nTo make this easier this is how everything looks\n\n[0 16k 32k 48k ] logical address\n[0 4 8 12 ] radix tree offset\n[ 64k page ] folio\n[ 16k eb ][ 16k eb ][ 16k eb ][ 16k eb ] extent buffers\n[ | | | | | | | | | | | | | | | | ] bitmap\n\nNow we use all of our addressing based on fs_info->sectorsize_bits, so\nas you can see the above our 16k eb->start turns into radix entry 4.\n\nWhen we find a dirty range for our eb, we correctly do bit_start +=\nsectors_per_node, because if we start at bit 0, the next bit for the\nnext eb is 4, to correspond to eb->start 16k.\n\nHowever if our range is clean, we will do bit_start++, which will now\nput us offset from our radix tree entries.\n\nIn our case, assume that the first time we check the bitmap the block is\nnot dirty, we increment bit_start so now it == 1, and then we loop\naround and check again. This time it is dirty, and we go to find that\nstart using the following equation\n\n\tstart = folio_start + bit_start * fs_info->sectorsize;\n\nso in the case above, eb->start 0 is now dirty, and we calculate start\nas\n\n\t0 + 1 * fs_info->sectorsize = 4096\n\t4096 >> 12 = 1\n\nNow we're looking up the radix tree for 1, and we won't find an eb.\nWhat's worse is now we're using bit_start == 1, so we do bit_start +=\nsectors_per_node, which is now 5. If that eb is dirty we will run into\nthe same thing, we will look at an offset that is not populated in the\nradix tree, and now we're skipping the writeout of dirty extent buffers.\n\nThe best fix for this is to not use sectorsize_bits to address nodes,\nbut that's a larger change. Since this is a fs corruption problem fix\nit simply by always using sectors_per_node to increment the start bit."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: ajustar el inicio del bit de la subp\u00e1gina en funci\u00f3n del tama\u00f1o del sector Al ejecutar m\u00e1quinas con un tama\u00f1o de p\u00e1gina de 64k y un tama\u00f1o de nodo de 16k, comenzamos a ver corrupci\u00f3n en el registro del \u00e1rbol en producci\u00f3n. Esto result\u00f3 ser porque a veces no escrib\u00edamos bloques sucios, por lo que, de hecho, afecta a todas las escrituras de metadatos. Al escribir un EB de subp\u00e1gina, escaneamos el mapa de bits de la subp\u00e1gina en busca de un rango sucio. Si el rango no est\u00e1 sucio, hacemos bit_start++; para pasar al siguiente bit. El problema es que el mapa de bits se basa en la cantidad de sectores que tiene un EB. Entonces, en este caso, tenemos un tama\u00f1o de p\u00e1gina de 64k, un tama\u00f1o de nodo de 16k, pero un tama\u00f1o de sector de 4k. Esto significa que nuestro mapa de bits es de 4 bits para cada nodo. Con un tama\u00f1o de p\u00e1gina de 64k, terminamos con 4 nodos por p\u00e1gina. Para hacer esto m\u00e1s f\u00e1cil as\u00ed es como se ve todo [0 16k 32k 48k ] direcci\u00f3n l\u00f3gica [0 4 8 12 ] desplazamiento del \u00e1rbol de radix [ p\u00e1gina 64k ] folio [ 16k eb ][ 16k eb ][ 16k eb ][ 16k eb ] b\u00faferes de extensi\u00f3n [ | | | | | | | | | | | | | | | | ] mapa de bits Ahora usamos todo nuestro direccionamiento basado en fs_info->sectorsize_bits, as\u00ed que como puedes ver arriba nuestro eb->start de 16k se convierte en la entrada de radix 4. Cuando encontramos un rango sucio para nuestro eb, hacemos correctamente bit_start += sectores_per_node, porque si empezamos en el bit 0, el siguiente bit para el siguiente eb es 4, para corresponder a eb->start 16k. Sin embargo, si nuestro rango est\u00e1 limpio, haremos bit_start++, que ahora nos pondr\u00e1 en un desplazamiento desde nuestras entradas del \u00e1rbol de radix. En nuestro caso, supongamos que la primera vez que comprobamos el mapa de bits, el bloque no est\u00e1 sucio, incrementamos bit_start para que ahora sea == 1, y luego hacemos un bucle y comprobamos de nuevo. Esta vez est\u00e1 sucio, y vamos a encontrar ese inicio usando la siguiente ecuaci\u00f3n start = folio_start + bit_start * fs_info->sectorsize; as\u00ed que en el caso anterior, eb->start 0 ahora est\u00e1 sucio, y calculamos start como 0 + 1 * fs_info->sectorsize = 4096 4096 >> 12 = 1 Ahora estamos buscando el \u00e1rbol de bases para 1, y no encontraremos un eb. Lo que es peor es que ahora estamos usando bit_start == 1, as\u00ed que hacemos bit_start += sectores_por_nodo, que ahora es 5. Si ese eb est\u00e1 sucio, nos encontraremos con lo mismo, veremos un desplazamiento que no est\u00e1 rellenado en el \u00e1rbol de bases, y ahora estamos omitiendo la escritura de los b\u00faferes de extensi\u00f3n sucios. La mejor soluci\u00f3n es no usar sectorsize_bits para direccionar nodos, pero ese es un cambio mayor. Dado que se trata de un problema de corrupci\u00f3n del sistema de archivos, corr\u00edjalo simplemente usando siempre sectores_por_nodo para incrementar el bit de inicio."}], "lastModified": "2025-12-19T16:59:37.937", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "752AE63C-A378-4CD2-87E2-408BF0D447AB", "versionEndExcluding": "6.1.151", "versionStartIncluding": "5.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9364B0C-6B18-422E-8254-73EF0E856875", "versionEndExcluding": "6.6.105", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5082CE19-0F3D-4521-AB3E-810D8255F500", "versionEndExcluding": "6.12.28", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19E5095E-5950-43EA-8E78-FC860855293F", "versionEndExcluding": "6.14.6", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D465631-2980-487A-8E65-40AE2B9F8ED1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C9D071F-B28E-46EC-AC61-22B913390211"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13FC0DDE-E513-465E-9E81-515702D49B74"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C7B5B0E-4EEB-48F5-B4CF-0935A7633845"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}