CVE-2025-39735

{"id": "CVE-2025-39735", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2025-04-18T07:15:44.150", "references": [{"url": "https://git.kernel.org/stable/c/0beddc2a3f9b9cf7d8887973041e36c2d0fa3652", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/16d3d36436492aa248b2d8045e75585ebcc2f34d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3d6fd5b9c6acbc005e53d0211c7381f566babec1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/46e2c031aa59ea65128991cbca474bd5c0c2ecdb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/50afcee7011155933d8d5e8832f52eeee018cfd3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5263822558a8a7c0d0248d5679c2dcf4d5cda61f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/78c9cbde8880ec02d864c166bcb4fe989ce1d95f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a8c31808925b11393a6601f534bb63bac5366bab", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fdf480da5837c23b146c4743c18de97202fcab37", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix slab-out-of-bounds read in ea_get()\n\nDuring the \"size_check\" label in ea_get(), the code checks if the extended\nattribute list (xattr) size matches ea_size. If not, it logs\n\"ea_get: invalid extended attribute\" and calls print_hex_dump().\n\nHere, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds\nINT_MAX (2,147,483,647). Then ea_size is clamped:\n\n\tint size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));\n\nAlthough clamp_t aims to bound ea_size between 0 and 4110417968, the upper\nlimit is treated as an int, causing an overflow above 2^31 - 1. This leads\n\"size\" to wrap around and become negative (-184549328).\n\nThe \"size\" is then passed to print_hex_dump() (called \"len\" in\nprint_hex_dump()), it is passed as type size_t (an unsigned\ntype), this is then stored inside a variable called\n\"int remaining\", which is then assigned to \"int linelen\" which\nis then passed to hex_dump_to_buffer(). In print_hex_dump()\nthe for loop, iterates through 0 to len-1, where len is\n18446744073525002176, calling hex_dump_to_buffer()\non each iteration:\n\n\tfor (i = 0; i < len; i += rowsize) {\n\t\tlinelen = min(remaining, rowsize);\n\t\tremaining -= rowsize;\n\n\t\thex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,\n\t\t\t\t linebuf, sizeof(linebuf), ascii);\n\n\t\t...\n\t}\n\nThe expected stopping condition (i < len) is effectively broken\nsince len is corrupted and very large. This eventually leads to\nthe \"ptr+i\" being passed to hex_dump_to_buffer() to get closer\nto the end of the actual bounds of \"ptr\", eventually an out of\nbounds access is done in hex_dump_to_buffer() in the following\nfor loop:\n\n\tfor (j = 0; j < len; j++) {\n\t\t\tif (linebuflen < lx + 2)\n\t\t\t\tgoto overflow2;\n\t\t\tch = ptr[j];\n\t\t...\n\t}\n\nTo fix this we should validate \"EALIST_SIZE(ea_buf->xattr)\"\nbefore it is utilised."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: jfs: correcci\u00f3n de lectura fuera de los l\u00edmites de slab en ea_get(). Durante la etiqueta \"size_check\" en ea_get(), el c\u00f3digo comprueba si el tama\u00f1o de la lista de atributos extendidos (xattr) coincide con ea_size. De lo contrario, registra \"ea_get: atributo extendido no v\u00e1lido\" y llama a print_hex_dump(). En este caso, EALIST_SIZE(ea_buf-&gt;xattr) devuelve 4110417968, que excede INT_MAX (2147483647). A continuaci\u00f3n, se fija ea_size: int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf-&gt;xattr)); Aunque clamp_t busca limitar ea_size entre 0 y 4110417968, el l\u00edmite superior se trata como un entero, lo que provoca un desbordamiento por encima de 2^31 - 1. Esto hace que \"size\" se repita y se vuelva negativo (-184549328). El \"size\" se pasa a print_hex_dump() (llamado \"len\" en print_hex_dump()) como tipo size_t (un tipo sin signo). Este se almacena en una variable llamada \"int remaining\", que se asigna a \"int linelen\", que a su vez se pasa a hex_dump_to_buffer(). En print_hex_dump(), el bucle for itera desde 0 hasta len-1, donde len es 18446744073525002176 y llama a hex_dump_to_buffer() en cada iteraci\u00f3n: for (i = 0; i &lt; len; i += rowsize) { linelen = min(remaining, rowsize); remaining -= rowsize; hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, linebuf, sizeof(linebuf), ascii); ... } La condici\u00f3n de detenci\u00f3n esperada (i &lt; len) se rompe efectivamente ya que len est\u00e1 da\u00f1ado y es muy grande. Esto eventualmente lleva a que \"ptr+i\" se pase a hex_dump_to_buffer() para acercarse al final de los l\u00edmites reales de \"ptr\", eventualmente se realiza un acceso fuera de los l\u00edmites en hex_dump_to_buffer() en el siguiente bucle for: for (j = 0; j &lt; len; j++) { if (linebuflen &lt; lx + 2) goto overflow2; ch = ptr[j]; ... } Para solucionar esto debemos validar \"EALIST_SIZE(ea_buf-&gt;xattr)\" antes de utilizarlo."}], "lastModified": "2025-04-28T14:37:34.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C960EB7-4E90-49E0-BB92-BE6F1B8CF26F", "versionEndExcluding": "4.20", "versionStartIncluding": "4.19.325"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16E1C46D-7C0B-4307-928A-8D0ABDF8D1B8", "versionEndExcluding": "5.4.292", "versionStartIncluding": "5.4.287"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8F0C4A9A-87C3-4779-923D-5E19C9A26EA9", "versionEndExcluding": "5.10.236", "versionStartIncluding": "5.10.231"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B6B383DC-5ED6-4326-885D-2F161A71E2D5", "versionEndExcluding": "5.15.180", "versionStartIncluding": "5.15.174"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9344B2D-88D1-4540-9748-8CC37D3B25C8", "versionEndExcluding": "6.1.134", "versionStartIncluding": "6.1.120"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "042FFA18-3C6A-4999-AB8F-4F6F5902BEEA", "versionEndExcluding": "6.6.87", "versionStartIncluding": "6.6.64"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4CBF5F6E-D446-4CAE-AAA4-413442319824", "versionEndExcluding": "6.12", "versionStartIncluding": "6.11.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5C71FC9-A61C-431A-9215-38D09F5A2FF3", "versionEndExcluding": "6.12.23", "versionStartIncluding": "6.12.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7E864B0-8C00-4679-BA55-659B4C9C3AD3", "versionEndExcluding": "6.13.11", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FADAE5D8-4808-442C-B218-77B2CE8780A0", "versionEndExcluding": "6.14.2", "versionStartIncluding": "6.14"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}