CVE-2025-37782 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key

Syzbot reported an issue in hfs subsystem:

BUG: KASAN: slab-out-of-bounds in memcpy_from_page include/linux/highmem.h:423 [inline]
BUG: KASAN: slab-out-of-bounds in hfs_bnode_read fs/hfs/bnode.c:35 [inline]
BUG: KASAN: slab-out-of-bounds in hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70 Write of size 94 at addr ffff8880123cd100 by task syz-executor237/5102

Call Trace: __dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 memcpy_from_page include/linux/highmem.h:423 [inline]
hfs_bnode_read fs/hfs/bnode.c:35 [inline]
hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70 hfs_brec_insert+0x7f3/0xbd0 fs/hfs/brec.c:159 hfs_cat_create+0x41d/0xa50 fs/hfs/catalog.c:118 hfs_mkdir+0x6c/0xe0 fs/hfs/dir.c:232 vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257 do_mkdirat+0x264/0x3a0 fs/namei.c:4280 __do_sys_mkdir fs/namei.c:4300 [inline]
__se_sys_mkdir fs/namei.c:4298 [inline]
__x64_sys_mkdir+0x6c/0x80 fs/namei.c:4298 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbdd6057a99

Add a check for key length in hfs_bnode_read_key to prevent out-of-bounds memory access. If the key length is invalid, the key buffer is cleared, improving stability and reliability.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 03/16/2026

The vulnerability resides within the hfs and hfsplus filesystem implementations of the linux kernel, specifically in the hfs_bnode_read_key function which handles reading keys from b-trees used by these filesystems. This issue manifests as a slab-out-of-bounds memory access error that occurs during kernel memory management operations, where the system attempts to write data beyond the allocated buffer boundaries. The problem was identified through automated fuzzing conducted by syzbot, a kernel fuzzer that systematically tests kernel code paths for vulnerabilities.

The technical flaw stems from insufficient validation of key length parameters within the hfs_bnode_read_key function located in fs/hfs/bnode.c at line 70. When processing filesystem metadata structures, the function fails to properly validate the length of keys being read, allowing malicious or malformed data to trigger memory corruption. The kernel address sanitizer (KASAN) detected this issue during a memcpy_from_page operation that attempted to write 94 bytes of data to an address that exceeded the bounds of the allocated buffer, specifically at ffff8880123cd100. This type of vulnerability falls under the common weakness enumeration CWE-129, which describes "Improper Validation of Array Index" and is classified as a memory safety issue in the attack technique framework.

The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling privilege escalation or system instability when exploited. The call trace shows the execution path leading to the crash originates from a mkdir system call, indicating that an attacker could trigger this condition through filesystem operations on hfs/hfsplus volumes. When the key length validation fails, the system attempts to write beyond allocated memory boundaries, which can result in kernel crashes, data corruption, or potentially allow attackers to execute arbitrary code with kernel privileges if proper mitigations are not in place. This vulnerability directly affects systems running linux kernels that support hfs/hfsplus filesystems and could be exploited in scenarios where untrusted filesystem data is processed.

The fix implemented addresses the root cause by adding explicit validation checks for key length parameters before any memory operations occur within the hfs_bnode_read_key function. When an invalid key length is detected, the system clears the key buffer rather than allowing out-of-bounds writes to proceed, maintaining system stability while preventing potential exploitation. This mitigation strategy aligns with secure coding practices recommended in the linux kernel security guidelines and follows the principle of least privilege by ensuring all external inputs are properly validated before processing. The solution prevents the slab-out-of-bounds condition while maintaining filesystem functionality and is consistent with defensive programming techniques that protect against buffer overflow vulnerabilities in kernel space operations.

Responsible

Linux

Reservation

04/16/2025

Disclosure

05/01/2025

Moderation

revoked

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!