CVE-2025-37739 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()
syzbot reports an UBSAN issue as below:
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10 index 18446744073709550692 is out of range for type '__le32[5]' (aka 'unsigned int[5]')
CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0 Call Trace: __dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429 get_nid fs/f2fs/node.h:381 [inline]
f2fs_truncate_inode_blocks+0xa5e/0xf60 fs/f2fs/node.c:1181 f2fs_do_truncate_blocks+0x782/0x1030 fs/f2fs/file.c:808 f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:836 f2fs_truncate+0x417/0x720 fs/f2fs/file.c:886 f2fs_file_write_iter+0x1bdb/0x2550 fs/f2fs/file.c:5093 aio_write+0x56b/0x7c0 fs/aio.c:1633 io_submit_one+0x8a7/0x18a0 fs/aio.c:2052 __do_sys_io_submit fs/aio.c:2111 [inline]
__se_sys_io_submit+0x171/0x2e0 fs/aio.c:2081 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f238798cde9
index 18446744073709550692 (decimal, unsigned long long) = 0xfffffffffffffc64 (hexadecimal, unsigned long long) = -924 (decimal, long long)
In f2fs_truncate_inode_blocks(), UBSAN detects that get_nid() tries to access .i_nid[-924], it means both offset[0] and level should zero.
The possible case should be in f2fs_do_truncate_blocks(), we try to truncate inode size to zero, however, dn.ofs_in_node is zero and dn.node_page is not an inode page, so it fails to truncate inode page, and then pass zeroed free_from to f2fs_truncate_inode_blocks(), result in this issue.
if (dn.ofs_in_node || IS_INODE(dn.node_page)) {
f2fs_truncate_data_blocks_range(&dn, count); free_from += count; }
I guess the reason why dn.node_page is not an inode page could be: there are multiple nat entries share the same node block address, once the node block address was reused, f2fs_get_node_page() may load a non-inode block.
Let's add a sanity check for such condition to avoid out-of-bounds access issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/15/2026
The vulnerability described in CVE-2025-37739 represents a critical out-of-bounds memory access flaw within the F2FS (Flash-Friendly File System) implementation of the Linux kernel. This issue manifests specifically in the f2fs_truncate_inode_blocks() function, where a buffer overflow condition occurs due to improper validation of array indices. The problem is detected by the Undefined Behavior Sanitizer (UBSAN) during kernel execution, indicating that an array access attempts to reference an index that exceeds the allocated bounds for a __le32[5] type structure. The reported index value of 18446744073709550692 translates to -924 when interpreted as a signed integer, demonstrating how arithmetic overflow can lead to memory corruption scenarios.
The root cause of this vulnerability stems from a logic flaw in the truncation process when handling inode blocks during file system operations. When the system attempts to truncate an inode size to zero, the code path fails to properly validate whether the node page being accessed corresponds to an actual inode structure. The condition dn.ofs_in_node being zero combined with dn.node_page not being an inode page creates a scenario where the function receives a zeroed free_from parameter, leading to the out-of-bounds access. This condition is particularly concerning because it can occur during normal file system operations when multiple NAT (Node Address Table) entries share identical node block addresses, causing the f2fs_get_node_page() function to potentially load a non-inode block into memory.
The operational impact of this vulnerability extends beyond simple memory corruption, as it represents a potential vector for privilege escalation and system instability. The flaw allows for arbitrary memory access patterns that could be exploited to corrupt kernel data structures or potentially execute malicious code with kernel-level privileges. The attack surface is significant given that this affects core file system operations that occur during normal system usage, particularly when file truncation operations are performed. The vulnerability aligns with CWE-129, which specifically addresses issues related to insufficient bounds checking, and demonstrates characteristics consistent with ATT&CK technique T1068, involving privilege escalation through kernel exploits. The issue is particularly dangerous because it can be triggered through standard file system operations, making it difficult to detect and prevent through conventional security measures.
The recommended mitigation strategy involves implementing a comprehensive sanity check within the f2fs_truncate_inode_blocks() function to validate that the node page being accessed actually corresponds to a valid inode structure before proceeding with array operations. This approach directly addresses the root cause by ensuring that the function only processes legitimate inode pages, thereby preventing the out-of-bounds access that leads to the UBSAN violation. Additionally, the fix should include enhanced validation of the node page type within the f2fs_get_node_page() function to prevent the loading of non-inode blocks when inode-specific operations are required. The implementation should also consider adding additional bounds checking and input validation mechanisms throughout the truncation process to prevent similar issues from arising in other related code paths. This comprehensive approach ensures that the fix not only resolves the immediate vulnerability but also strengthens the overall robustness of the F2FS file system implementation against similar memory access violations.