CVE-2025-37780 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

isofs: Prevent the use of too small fid

syzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1]

The handle_bytes value passed in by the reproducing program is equal to 12. In handle_to_path(), only 12 bytes of memory are allocated for the structure file_handle->f_handle member, which causes an out-of-bounds access when accessing the member parent_block of the structure isofs_fid in isofs, because accessing parent_block requires at least 16 bytes of f_handle. Here, fh_len is used to indirectly confirm that the value of handle_bytes is greater than 3 before accessing parent_block.

[1]
BUG: KASAN: slab-out-of-bounds in isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183 Read of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466 CPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline]
print_report+0x198/0x550 mm/kasan/report.c:521 kasan_report+0xd8/0x138 mm/kasan/report.c:634 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380 isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183 exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523 do_handle_to_path+0xa0/0x198 fs/fhandle.c:257 handle_to_path fs/fhandle.c:385 [inline]
do_handle_open+0x8cc/0xb8c fs/fhandle.c:403 __do_sys_open_by_handle_at fs/fhandle.c:443 [inline]
__se_sys_open_by_handle_at fs/fhandle.c:434 [inline]
__arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Allocated by task 6466: kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4294 [inline]
__kmalloc_noprof+0x32c/0x54c mm/slub.c:4306 kmalloc_noprof include/linux/slab.h:905 [inline]
handle_to_path fs/fhandle.c:357 [inline]
do_handle_open+0x5a4/0xb8c fs/fhandle.c:403 __do_sys_open_by_handle_at fs/fhandle.c:443 [inline]
__se_sys_open_by_handle_at fs/fhandle.c:434 [inline]
__arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 03/16/2026

The vulnerability CVE-2025-37780 resides within the Linux kernel's isofs (ISO 9660 filesystem) implementation, specifically in the function isofs_fh_to_parent which handles file handle decoding operations. This issue manifests as a slab-out-of-bounds read condition that arises from improper validation of the handle_bytes parameter passed during file handle operations. The flaw occurs when a malicious or malformed file handle is processed, causing the kernel to allocate insufficient memory for the file_handle structure, leading to memory access violations beyond the allocated bounds. The reported out-of-bounds access occurs at address 0xffff0000cc030d94 where a 4-byte read operation attempts to access the parent_block member of the isofs_fid structure, which requires at least 16 bytes of memory to be properly accessible. This vulnerability is classified under CWE-129 as an "Improper Validation of Array Index" and aligns with ATT&CK technique T1059.3.002 for execution through kernel exploits.

The technical root cause stems from the handle_to_path function in fs/fhandle.c, which allocates only 12 bytes of memory for the file_handle->f_handle member based on the handle_bytes value provided by the reproducing program. However, the isofs_fid structure requires at least 16 bytes to properly contain the parent_block member that is accessed in isofs_fh_to_parent. The insufficient memory allocation allows an attacker to manipulate the file handle decoding process and trigger a memory access violation. The vulnerability is triggered through the open_by_handle_at system call, which internally calls do_handle_open and eventually leads to handle_to_path where the incorrect memory allocation occurs. The KASAN (Kernel Address Sanitizer) report confirms that this is a slab-out-of-bounds read where the kernel attempts to read 4 bytes at an address that is outside the bounds of the allocated memory region, specifically accessing the parent_block field without sufficient buffer space.

The operational impact of this vulnerability is significant as it represents a potential path for privilege escalation or denial of service within kernel space. An attacker who can control file handle parameters could exploit this to cause kernel crashes or potentially execute arbitrary code with kernel privileges. The vulnerability affects systems running Linux kernels with isofs support, particularly those implementing file handle operations for ISO filesystems. The issue is particularly concerning because it can be triggered through normal file system operations involving file handle decoding, making it accessible to any process that interacts with ISO filesystems through the open_by_handle_at system call. This makes the vulnerability exploitable in environments where ISO filesystems are mounted or accessed through file handle operations, potentially affecting server environments, virtualization platforms, or systems that support ISO image mounting.

Mitigation strategies for CVE-2025-37780 should focus on implementing proper bounds checking and memory allocation validation within the isofs filesystem implementation. The primary fix involves ensuring that the handle_bytes parameter is properly validated before memory allocation occurs, requiring that sufficient space is allocated for the complete isofs_fid structure including all required members. Kernel patches should enforce minimum buffer size requirements for file_handle structures when processing ISO filesystem handles, preventing the allocation of insufficient memory that leads to out-of-bounds access. Additionally, implementing enhanced input validation in the handle_to_path function would prevent the exploitation of this memory corruption vulnerability by ensuring that file handle parameters meet minimum size requirements before proceeding with memory allocation. System administrators should apply the relevant kernel patches as soon as they become available, monitor for any exploitation attempts through system logs, and consider implementing kernel lockdown mechanisms to limit potential exploitation vectors. The vulnerability also highlights the importance of continuous kernel security auditing and fuzzing operations such as those conducted by syzbot, which identified this specific issue through automated testing.

Responsible

Linux

Reservation

04/16/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00174

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!