CVE-2025-39735 in Linux
Summary
by MITRE • 04/18/2025
In the Linux kernel, the following vulnerability has been resolved:
jfs: fix slab-out-of-bounds read in ea_get()
During the "size_check" label in ea_get(), the code checks if the extended attribute list (xattr) size matches ea_size. If not, it logs "ea_get: invalid extended attribute" and calls print_hex_dump().
Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds INT_MAX (2,147,483,647). Then ea_size is clamped:
int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));
Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper limit is treated as an int, causing an overflow above 2^31 - 1. This leads "size" to wrap around and become negative (-184549328).
The "size" is then passed to print_hex_dump() (called "len" in print_hex_dump()), it is passed as type size_t (an unsigned type), this is then stored inside a variable called "int remaining", which is then assigned to "int linelen" which is then passed to hex_dump_to_buffer(). In print_hex_dump() the for loop, iterates through 0 to len-1, where len is 18446744073525002176, calling hex_dump_to_buffer() on each iteration:
for (i = 0; i < len; i += rowsize) {
linelen = min(remaining, rowsize); remaining -= rowsize;
hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, linebuf, sizeof(linebuf), ascii);
... }
The expected stopping condition (i < len) is effectively broken since len is corrupted and very large. This eventually leads to the "ptr+i" being passed to hex_dump_to_buffer() to get closer to the end of the actual bounds of "ptr", eventually an out of bounds access is done in hex_dump_to_buffer() in the following for loop:
for (j = 0; j < len; j++) {
if (linebuflen < lx + 2) goto overflow2; ch = ptr[j];
... }
To fix this we should validate "EALIST_SIZE(ea_buf->xattr)" before it is utilised.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/16/2026
The vulnerability identified as CVE-2025-39735 resides within the Linux kernel's JFS (Journaled File System) implementation, specifically within the ea_get() function responsible for handling extended attributes. This flaw manifests as a slab-out-of-bounds read condition that arises from improper handling of integer overflow during size validation operations. The issue occurs when processing extended attribute lists where the buffer size calculation exceeds the maximum value representable by a signed 32-bit integer, leading to a cascading series of type conversions and arithmetic operations that ultimately result in memory access violations.
The technical root cause stems from the use of clamp_t macro which is designed to constrain values within specified bounds but fails to account for the overflow behavior when dealing with large unsigned values that exceed the range of signed integers. When EALIST_SIZE(ea_buf->xattr) returns a value of 4110417968, which surpasses INT_MAX, the subsequent clamping operation produces a negative result due to integer wraparound. This negative value, when passed through multiple type conversions and function calls, eventually corrupts the length parameter used in print_hex_dump() function, causing an excessively large iteration count in the for loop that processes the memory buffer.
The operational impact of this vulnerability is significant as it represents a potential path for arbitrary code execution or information disclosure within the kernel space. The out-of-bounds memory access occurs during the hex_dump_to_buffer() function call where the corrupted length parameter causes the loop to iterate far beyond the actual bounds of the allocated memory region. This behavior aligns with CWE-129, which addresses improper validation of array index values, and can be categorized under ATT&CK technique T1068, which involves exploiting local privilege escalation vulnerabilities through kernel exploits. The vulnerability demonstrates how seemingly benign size validation logic can be subverted through integer overflow conditions that bypass intended security checks.
Mitigation strategies for this vulnerability require immediate implementation of proper size validation before any arithmetic operations are performed on extended attribute buffer sizes. The fix should validate EALIST_SIZE(ea_buf->xattr) against maximum allowable values before it is utilized in any calculations, ensuring that potential overflow conditions are detected and handled gracefully. Additionally, developers should implement comprehensive bounds checking throughout the codebase, particularly in functions that handle memory operations and buffer manipulations. The solution must also include proper type safety measures to prevent implicit conversions between signed and unsigned integer types that could lead to similar overflow conditions in other parts of the kernel code. System administrators should ensure that affected kernel versions are updated promptly to prevent exploitation of this vulnerability in production environments.