CVE-2025-38713 in Linuxinfo

Zusammenfassung

von VulDB • 04.06.2026

Based on the kernel log provided, this is a **KASAN (Kernel Address Sanitizer)** report indicating a **heap buffer overflow** (specifically, a write or read just beyond the allocated memory region).

### Key Findings

1. **Error Type**: **Heap Buffer Overflow** (Out-of-bounds access). * The log states: `The buggy address is located 0 bytes to the right of allocated 1036-byte region`. * This means the code tried to access memory immediately after a 1036-byte allocation.

2. **Affected Cache**: `kmalloc-2k` (size 2048 bytes). * The allocation was small (1036 bytes), but the allocator rounded it up to the nearest slab size (2048 bytes). The bug is accessing the very end of the *actual* used portion (1036 bytes), not necessarily the entire 2048-byte slab.

3. **Triggering Function**: `hfsplus_readdir` * The stack trace shows the allocation happened in `hfsplus_find_init`, which was called from `hfsplus_readdir`. * This indicates the bug is in the **HFS+ filesystem driver** in the Linux kernel, specifically when reading directory entries.

4. **Allocation Source**: * `hfsplus_find_init+0x95/0x1f0` * This function likely allocates a buffer to store directory search results or metadata.

5. **Task Context**: * Task ID: `9805` * System Call: `__x64_sys_getdents64` (used by `readdir` in userspace to read directory contents).

---

### Likely Root Cause

The HFS+ driver (`hfsplus`) is allocating a buffer of **1036 bytes** but then writing **1037 bytes or more** into it. This is a classic off-by-one or length miscalculation bug.

Common causes in filesystem drivers: * Incorrect calculation of the size of a directory entry. * Missing null-termination when copying strings. * Off-by-one error in loop bounds when parsing HFS+ catalog records.

---

### How to Fix / Investigate

1. **Locate the Code**: Look at the Linux kernel source file `fs/hfsplus/dir.c` (or `fs/hfsplus/catalog.c`), specifically the function `hfsplus_find_init`.

2. **Identify the Allocation**: Find the `kmalloc` or `kzalloc` call that allocates ~1036 bytes. It might look something like: ```c buf = kmalloc(size, GFP_KERNEL); ``` where `size` is calculated based on directory entry lengths.

3. **Check for Off-by-One**: * Verify if the code writes `size + 1` bytes (e.g., for a null terminator). * Check if the loop that copies data uses `< size` instead of `<= size` or vice versa. * Ensure that the calculated `size` accounts for all fields being copied.

4. **Reproduce**: * The bug is triggered by reading a directory on an HFS+ filesystem. * You can reproduce this by mounting an HFS+ image and running `ls -lR` or `getdents64` on a directory that triggers the specific code path.

5. **Patch Example (Hypothetical)**: If the bug is an off-by-one in string copying: ```c // Before (buggy): memcpy(buf, src, len); // len might be 1036, but src is 1037 bytes

// After (fixed): memcpy(buf, src, len - 1); // Or ensure len is correctly calculated ```

### Summary

* **Component**: Linux Kernel HFS+ Filesystem Driver * **Bug**: Heap buffer overflow (write 1 byte past 1036-byte allocation) * **Function**: `hfsplus_find_init` * **Action**: Review `hfsplus_find_init` in `fs/hfsplus/` for incorrect buffer size calculations or off-by-one errors in memory copying.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Zuständig

Linux

Reservieren

16.04.2025

Veröffentlichung

04.09.2025

Moderieren

akzeptiert

Eintrag

VDB-322533

CPE

bereit

EPSS

0.00152

KEV

nein

Aktivitäten

very low

Quellen

Do you know our Splunk app?

Download it now for free!