CVE-2025-38260

{"id": "CVE-2025-38260", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-07-09T11:15:28.340", "references": [{"url": "https://git.kernel.org/stable/c/3f5c4a996f8f4fecd24a3eb344a307c50af895c2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/547e836661554dcfa15c212a3821664e85b4191a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bbe9231fe611a54a447962494472f604419bad59", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f8ce11903211542a61f05c02caedd2edfb4256b8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fc97a116dc4929905538bc0bd3af7faa51192957", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html", "tags": ["Third Party Advisory", "Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: handle csum tree error with rescue=ibadroots correctly\n\n[BUG]\nThere is syzbot based reproducer that can crash the kernel, with the\nfollowing call trace: (With some debug output added)\n\n DEBUG: rescue=ibadroots parsed\n BTRFS: device fsid 14d642db-7b15-43e4-81e6-4b8fac6a25f8 devid 1 transid 8 /dev/loop0 (7:0) scanned by repro (1010)\n BTRFS info (device loop0): first mount of filesystem 14d642db-7b15-43e4-81e6-4b8fac6a25f8\n BTRFS info (device loop0): using blake2b (blake2b-256-generic) checksum algorithm\n BTRFS info (device loop0): using free-space-tree\n BTRFS warning (device loop0): checksum verify failed on logical 5312512 mirror 1 wanted 0xb043382657aede36608fd3386d6b001692ff406164733d94e2d9a180412c6003 found 0x810ceb2bacb7f0f9eb2bf3b2b15c02af867cb35ad450898169f3b1f0bd818651 level 0\n DEBUG: read tree root path failed for tree csum, ret=-5\n BTRFS warning (device loop0): checksum verify failed on logical 5328896 mirror 1 wanted 0x51be4e8b303da58e6340226815b70e3a93592dac3f30dd510c7517454de8567a found 0x51be4e8b303da58e634022a315b70e3a93592dac3f30dd510c7517454de8567a level 0\n BTRFS warning (device loop0): checksum verify failed on logical 5292032 mirror 1 wanted 0x1924ccd683be9efc2fa98582ef58760e3848e9043db8649ee382681e220cdee4 found 0x0cb6184f6e8799d9f8cb335dccd1d1832da1071d12290dab3b85b587ecacca6e level 0\n process 'repro' launched './file2' with NULL argv: empty string added\n DEBUG: no csum root, idatacsums=0 ibadroots=134217728\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]\n CPU: 5 UID: 0 PID: 1010 Comm: repro Tainted: G OE 6.15.0-custom+ #249 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022\n RIP: 0010:btrfs_lookup_csum+0x93/0x3d0 [btrfs]\n Call Trace:\n <TASK>\n btrfs_lookup_bio_sums+0x47a/0xdf0 [btrfs]\n btrfs_submit_bbio+0x43e/0x1a80 [btrfs]\n submit_one_bio+0xde/0x160 [btrfs]\n btrfs_readahead+0x498/0x6a0 [btrfs]\n read_pages+0x1c3/0xb20\n page_cache_ra_order+0x4b5/0xc20\n filemap_get_pages+0x2d3/0x19e0\n filemap_read+0x314/0xde0\n __kernel_read+0x35b/0x900\n bprm_execve+0x62e/0x1140\n do_execveat_common.isra.0+0x3fc/0x520\n __x64_sys_execveat+0xdc/0x130\n do_syscall_64+0x54/0x1d0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nFirstly the fs has a corrupted csum tree root, thus to mount the fs we\nhave to go \"ro,rescue=ibadroots\" mount option.\n\nNormally with that mount option, a bad csum tree root should set\nBTRFS_FS_STATE_NO_DATA_CSUMS flag, so that any future data read will\nignore csum search.\n\nBut in this particular case, we have the following call trace that\ncaused NULL csum root, but not setting BTRFS_FS_STATE_NO_DATA_CSUMS:\n\nload_global_roots_objectid():\n\n\t\tret = btrfs_search_slot();\n\t\t/* Succeeded */\n\t\tbtrfs_item_key_to_cpu()\n\t\tfound = true;\n\t\t/* We found the root item for csum tree. */\n\t\troot = read_tree_root_path();\n\t\tif (IS_ERR(root)) {\n\t\t\tif (!btrfs_test_opt(fs_info, IGNOREBADROOTS))\n\t\t\t/*\n\t\t\t * Since we have rescue=ibadroots mount option,\n\t\t\t * @ret is still 0.\n\t\t\t */\n\t\t\tbreak;\n\tif (!found || ret) {\n\t\t/* @found is true, @ret is 0, error handling for csum\n\t\t * tree is skipped.\n\t\t */\n\t}\n\nThis means we completely skipped to set BTRFS_FS_STATE_NO_DATA_CSUMS if\nthe csum tree is corrupted, which results unexpected later csum lookup.\n\n[FIX]\nIf read_tree_root_path() failed, always populate @ret to the error\nnumber.\n\nAs at the end of the function, we need @ret to determine if we need to\ndo the extra error handling for csum tree."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: manejar correctamente el error del \u00e1rbol csum con rescue=ibadroots [ERROR] Hay un reproductor basado en syzbot que puede hacer caer el kernel, con el siguiente seguimiento de llamada: (Con alguna salida de depuraci\u00f3n agregada) DEBUG: rescue=ibadroots analiz\u00f3 BTRFS: dispositivo fsid 14d642db-7b15-43e4-81e6-4b8fac6a25f8 devid 1 transid 8 /dev/loop0 (7:0) escaneado por repro (1010) Informaci\u00f3n de BTRFS (dispositivo loop0): primer montaje del sistema de archivos 14d642db-7b15-43e4-81e6-4b8fac6a25f8 Informaci\u00f3n de BTRFS (dispositivo loop0): usando el algoritmo de suma de comprobaci\u00f3n blake2b (blake2b-256-generic) Informaci\u00f3n de BTRFS (dispositivo loop0): usando el algoritmo de suma de comprobaci\u00f3n blake2b (blake2b-256-generic) Advertencia de BTRFS de \u00e1rbol de espacio libre (dispositivo loop0): la verificaci\u00f3n de suma de comprobaci\u00f3n fall\u00f3 en el espejo l\u00f3gico 5312512 1 deseado 0xb043382657aede36608fd3386d6b001692ff406164733d94e2d9a180412c6003 encontrado 0x810ceb2bacb7f0f9eb2bf3b2b15c02af867cb35ad450898169f3b1f0bd818651 nivel 0 DEBUG: la lectura de la ruta ra\u00edz del \u00e1rbol fall\u00f3 para el csum del \u00e1rbol, ret=-5 Advertencia de BTRFS (dispositivo loop0): la verificaci\u00f3n de suma de comprobaci\u00f3n fall\u00f3 en el espejo l\u00f3gico 5328896 1 deseado Se encontr\u00f3 0x51be4e8b303da58e6340226815b70e3a93592dac3f30dd510c7517454de8567a. Advertencia BTRFS de nivel 0 (bucle de dispositivo 0): la verificaci\u00f3n de suma de comprobaci\u00f3n fall\u00f3 en el espejo l\u00f3gico 5292032 deseado 1. Se encontr\u00f3 0x1924ccd683be9efc2fa98582ef58760e3848e9043db8649ee382681e220cdee4. 0x0cb6184f6e8799d9f8cb335dccd1d1832da1071d12290dab3b85b587ecacca6e proceso de nivel 0 'repro' lanzado './file2' con NULL argv: cadena vac\u00eda agregada DEBUG: sin ra\u00edz csum, idatacsums=0 ibadroots=134217728 Oops: error de protecci\u00f3n general, probablemente para direcci\u00f3n no can\u00f3nica 0xdffffc0000000041: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref en el rango [0x0000000000000208-0x000000000000020f] CPU: 5 UID: 0 PID: 1010 Comm: repro Tainted: G OE 6.15.0-custom+ #249 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:btrfs_lookup_csum+0x93/0x3d0 [btrfs] Call Trace: btrfs_lookup_bio_sums+0x47a/0xdf0 [btrfs] btrfs_submit_bbio+0x43e/0x1a80 [btrfs] submit_one_bio+0xde/0x160 [btrfs] btrfs_readahead+0x498/0x6a0 [btrfs] read_pages+0x1c3/0xb20 page_cache_ra_order+0x4b5/0xc20 filemap_get_pages+0x2d3/0x19e0 filemap_read+0x314/0xde0 __kernel_read+0x35b/0x900 bprm_execve+0x62e/0x1140 do_execveat_common.isra.0+0x3fc/0x520 __x64_sys_execveat+0xdc/0x130 do_syscall_64+0x54/0x1d0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ---[ end trace 0000000000000000 ]--- [CAUSE] En primer lugar, el sistema de archivos tiene una ra\u00edz de \u00e1rbol csum da\u00f1ada, por lo tanto, para montar el sistema de archivos tenemos que usar la opci\u00f3n de montaje \"ro,rescue=ibadroots\". Normalmente, con esa opci\u00f3n de montaje, una ra\u00edz de \u00e1rbol de sumas de confianza incorrecta deber\u00eda activar la bandera BTRFS_FS_STATE_NO_DATA_CSUMS, de modo que cualquier lectura de datos futura ignore la b\u00fasqueda de sumas de confianza. Sin embargo, en este caso particular, tenemos el siguiente seguimiento de llamada que gener\u00f3 una ra\u00edz de sumas de confianza nula, pero no activ\u00f3 BTRFS_FS_STATE_NO_DATA_CSUMS: load_global_roots_objectid(): ret = btrfs_search_slot(); /* Correcto */ btrfs_item_key_to_cpu() found = true; /* Se encontr\u00f3 el elemento ra\u00edz del \u00e1rbol de sumas de confianza. */ root = read_tree_root_path(); if (IS_ERR(root)) { if (!btrfs_test_opt(fs_info, IGNOREBADROOTS)) /* * Dado que tenemos la opci\u00f3n de montaje rescue=ibadroots, * @ret sigue siendo 0. */ break; if (!found || ret) { /* @found es verdadero, @ret es 0, se omite el manejo de errores del \u00e1rbol de sumas de csuma. */ } Esto significa que omitimos completamente la configuraci\u00f3n de BTRFS_FS_STATE_NO_DATA_CSUMS si el \u00e1rbol de sumas de csuma est\u00e1 da\u00f1ado, lo que resulta en una b\u00fasqueda posterior inesperada --- truncado ---"}], "lastModified": "2025-12-18T17:02:44.440", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D8A5C04C-B957-4240-B2A3-2317C47666EB", "versionEndExcluding": "6.1.143", "versionStartIncluding": "5.17"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6AB3EB1A-48DE-47F4-9202-D0C58A0F6060", "versionEndExcluding": "6.6.96", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BD88DEC-018F-4F40-8E29-A2CA89813EBA", "versionEndExcluding": "6.12.36", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0CC768E2-3BBC-4A6E-9C2F-ECB27A703C2D", "versionEndExcluding": "6.15.5", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D4894DB-CCFE-4602-B1BF-3960B2E19A01"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "09709862-E348-4378-8632-5A7813EDDC86"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "415BF58A-8197-43F5-B3D7-D1D63057A26E"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}