CVE-2025-38713 in Linux
Zusammenfassung
von VulDB • 04.06.2026
Based on the kernel log provided, this is a **KASAN (Kernel Address Sanitizer)** report indicating a **heap buffer overflow** (specifically, a write or read just beyond the allocated memory region).
### Key Findings
1. **Error Type**: **Heap Buffer Overflow** (Out-of-bounds access). * The log states: `The buggy address is located 0 bytes to the right of allocated 1036-byte region`. * This means the code tried to access memory immediately after a 1036-byte allocation.
2. **Affected Cache**: `kmalloc-2k` (size 2048 bytes). * The allocation was small (1036 bytes), but the allocator rounded it up to the nearest slab size (2048 bytes). The bug is accessing the very end of the *actual* used portion (1036 bytes), not necessarily the entire 2048-byte slab.
3. **Triggering Function**: `hfsplus_readdir` * The stack trace shows the allocation happened in `hfsplus_find_init`, which was called from `hfsplus_readdir`. * This indicates the bug is in the **HFS+ filesystem driver** in the Linux kernel, specifically when reading directory entries.
4. **Allocation Source**: * `hfsplus_find_init+0x95/0x1f0` * This function likely allocates a buffer to store directory search results or metadata.
5. **Task Context**: * Task ID: `9805` * System Call: `__x64_sys_getdents64` (used by `readdir` in userspace to read directory contents).
---
### Likely Root Cause
The HFS+ driver (`hfsplus`) is allocating a buffer of **1036 bytes** but then writing **1037 bytes or more** into it. This is a classic off-by-one or length miscalculation bug.
Common causes in filesystem drivers: * Incorrect calculation of the size of a directory entry. * Missing null-termination when copying strings. * Off-by-one error in loop bounds when parsing HFS+ catalog records.
---
### How to Fix / Investigate
1. **Locate the Code**: Look at the Linux kernel source file `fs/hfsplus/dir.c` (or `fs/hfsplus/catalog.c`), specifically the function `hfsplus_find_init`.
2. **Identify the Allocation**: Find the `kmalloc` or `kzalloc` call that allocates ~1036 bytes. It might look something like: ```c buf = kmalloc(size, GFP_KERNEL); ``` where `size` is calculated based on directory entry lengths.
3. **Check for Off-by-One**: * Verify if the code writes `size + 1` bytes (e.g., for a null terminator). * Check if the loop that copies data uses `< size` instead of `<= size` or vice versa. * Ensure that the calculated `size` accounts for all fields being copied.
4. **Reproduce**: * The bug is triggered by reading a directory on an HFS+ filesystem. * You can reproduce this by mounting an HFS+ image and running `ls -lR` or `getdents64` on a directory that triggers the specific code path.
5. **Patch Example (Hypothetical)**: If the bug is an off-by-one in string copying: ```c // Before (buggy): memcpy(buf, src, len); // len might be 1036, but src is 1037 bytes
// After (fixed): memcpy(buf, src, len - 1); // Or ensure len is correctly calculated ```
### Summary
* **Component**: Linux Kernel HFS+ Filesystem Driver * **Bug**: Heap buffer overflow (write 1 byte past 1036-byte allocation) * **Function**: `hfsplus_find_init` * **Action**: Review `hfsplus_find_init` in `fs/hfsplus/` for incorrect buffer size calculations or off-by-one errors in memory copying.
VulDB is the best source for vulnerability data and more expert information about this specific topic.