CVE-2025-40082 (GCVE-0-2025-40082)

Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2026-05-23 16:01
VLAI
Title
hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
Summary
In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186 Read of size 2 at addr ffff8880289ef218 by task syz.6.248/14290 CPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x5f0 mm/kasan/report.c:482 kasan_report+0xca/0x100 mm/kasan/report.c:595 hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186 hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738 vfs_listxattr+0xbe/0x140 fs/xattr.c:493 listxattr+0xee/0x190 fs/xattr.c:924 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x143/0x360 fs/xattr.c:988 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe0e9fae16d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3 RAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000 RBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000 </TASK> Allocated by task 14290: kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4333 [inline] __kmalloc_noprof+0x219/0x540 mm/slub.c:4345 kmalloc_noprof include/linux/slab.h:909 [inline] hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21 hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697 vfs_listxattr+0xbe/0x140 fs/xattr.c:493 listxattr+0xee/0x190 fs/xattr.c:924 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x143/0x360 fs/xattr.c:988 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f When hfsplus_uni2asc is called from hfsplus_listxattr, it actually passes in a struct hfsplus_attr_unistr*. The size of the corresponding structure is different from that of hfsplus_unistr, so the previous fix (94458781aee6) is insufficient. The pointer on the unicode buffer is still going beyond the allocated memory. This patch introduces two warpper functions hfsplus_uni2asc_xattr_str and hfsplus_uni2asc_str to process two unicode buffers, struct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively. When ustrlen value is bigger than the allocated memory size, the ustrlen value is limited to an safe size.
Severity
7.1 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: ccf0ad56a779e6704c0b27f555dec847f50c7557 , < 343fe375a8dd6ee51a193a1c233b999f5ea4d479 (git)
Affected: 13604b1d7e7b125fb428cddbec6b8d92baad25d5 , < 782acde47e127c98a113726e2ff8024bd65c0454 (git)
Affected: 291bb5d931c6f3cd7227b913302a17be21cf53b0 , < c3db89ea1ed3d540eebe8f3c36e806fb75ee4a1e (git)
Affected: f7534cbfac0a9ffa4fa17cacc6e8b6446dae24ee , < 5b5228964619b180f366940505b77255b1a03929 (git)
Affected: 94458781aee6045bd3d0ad4b80b02886b9e2219b , < 857aefc70d4ae3b9bf1ae67434d27d0f79f80c9e (git)
Affected: 94458781aee6045bd3d0ad4b80b02886b9e2219b , < bea3e1d4467bcf292c8e54f080353d556d355e26 (git)
Affected: 73f7da507d787b489761a0fa280716f84fa32b2f (git)
Affected: 76a4c6636a69d69409aa253b049b1be717a539c5 (git)
Affected: 6f93694bcbc2c2ab3e01cd8fba2f296faf34e6b9 (git)
Affected: 1ca69007e52a73bd8b84b988b61b319816ca8b01 (git)
Affected: 5.15.190 , < 5.15.200 (semver)
Affected: 6.1.149 , < 6.1.163 (semver)
Affected: 6.6.103 , < 6.6.124 (semver)
Affected: 6.12.43 , < 6.12.70 (semver)
Affected: 5.4.297 , < 5.5 (semver)
Affected: 5.10.241 , < 5.11 (semver)
Affected: 6.15.11 , < 6.16 (semver)
Affected: 6.16.2 , < 6.17 (semver)
Create a notification for this product.
Linux Linux Affected: 6.17
Unaffected: 0 , < 6.17 (semver)
Unaffected: 5.15.200 , ≤ 5.15.* (semver)
Unaffected: 6.1.163 , ≤ 6.1.* (semver)
Unaffected: 6.6.124 , ≤ 6.6.* (semver)
Unaffected: 6.12.70 , ≤ 6.12.* (semver)
Unaffected: 6.17.3 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/hfsplus/dir.c",
            "fs/hfsplus/hfsplus_fs.h",
            "fs/hfsplus/unicode.c",
            "fs/hfsplus/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "343fe375a8dd6ee51a193a1c233b999f5ea4d479",
              "status": "affected",
              "version": "ccf0ad56a779e6704c0b27f555dec847f50c7557",
              "versionType": "git"
            },
            {
              "lessThan": "782acde47e127c98a113726e2ff8024bd65c0454",
              "status": "affected",
              "version": "13604b1d7e7b125fb428cddbec6b8d92baad25d5",
              "versionType": "git"
            },
            {
              "lessThan": "c3db89ea1ed3d540eebe8f3c36e806fb75ee4a1e",
              "status": "affected",
              "version": "291bb5d931c6f3cd7227b913302a17be21cf53b0",
              "versionType": "git"
            },
            {
              "lessThan": "5b5228964619b180f366940505b77255b1a03929",
              "status": "affected",
              "version": "f7534cbfac0a9ffa4fa17cacc6e8b6446dae24ee",
              "versionType": "git"
            },
            {
              "lessThan": "857aefc70d4ae3b9bf1ae67434d27d0f79f80c9e",
              "status": "affected",
              "version": "94458781aee6045bd3d0ad4b80b02886b9e2219b",
              "versionType": "git"
            },
            {
              "lessThan": "bea3e1d4467bcf292c8e54f080353d556d355e26",
              "status": "affected",
              "version": "94458781aee6045bd3d0ad4b80b02886b9e2219b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "73f7da507d787b489761a0fa280716f84fa32b2f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "76a4c6636a69d69409aa253b049b1be717a539c5",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6f93694bcbc2c2ab3e01cd8fba2f296faf34e6b9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1ca69007e52a73bd8b84b988b61b319816ca8b01",
              "versionType": "git"
            },
            {
              "lessThan": "5.15.200",
              "status": "affected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.163",
              "status": "affected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.124",
              "status": "affected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.70",
              "status": "affected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThan": "5.5",
              "status": "affected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThan": "5.11",
              "status": "affected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThan": "6.16",
              "status": "affected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThan": "6.17",
              "status": "affected",
              "version": "6.16.2",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/hfsplus/dir.c",
            "fs/hfsplus/hfsplus_fs.h",
            "fs/hfsplus/unicode.c",
            "fs/hfsplus/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.17"
            },
            {
              "lessThan": "6.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.200",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.200",
                  "versionStartIncluding": "5.15.190",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.163",
                  "versionStartIncluding": "6.1.149",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.124",
                  "versionStartIncluding": "6.6.103",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.70",
                  "versionStartIncluding": "6.12.43",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.3",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.297",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.241",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.15.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.16.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()\n\nBUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186\nRead of size 2 at addr ffff8880289ef218 by task syz.6.248/14290\n\nCPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x5f0 mm/kasan/report.c:482\n kasan_report+0xca/0x100 mm/kasan/report.c:595\n hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186\n hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738\n vfs_listxattr+0xbe/0x140 fs/xattr.c:493\n listxattr+0xee/0x190 fs/xattr.c:924\n filename_listxattr fs/xattr.c:958 [inline]\n path_listxattrat+0x143/0x360 fs/xattr.c:988\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fe0e9fae16d\nCode: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3\nRAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000\nRBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000\n \u003c/TASK\u003e\n\nAllocated by task 14290:\n kasan_save_stack+0x24/0x50 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4333 [inline]\n __kmalloc_noprof+0x219/0x540 mm/slub.c:4345\n kmalloc_noprof include/linux/slab.h:909 [inline]\n hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21\n hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697\n vfs_listxattr+0xbe/0x140 fs/xattr.c:493\n listxattr+0xee/0x190 fs/xattr.c:924\n filename_listxattr fs/xattr.c:958 [inline]\n path_listxattrat+0x143/0x360 fs/xattr.c:988\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWhen hfsplus_uni2asc is called from hfsplus_listxattr,\nit actually passes in a struct hfsplus_attr_unistr*.\nThe size of the corresponding structure is different from that of hfsplus_unistr,\nso the previous fix (94458781aee6) is insufficient.\nThe pointer on the unicode buffer is still going beyond the allocated memory.\n\nThis patch introduces two warpper functions hfsplus_uni2asc_xattr_str and\nhfsplus_uni2asc_str to process two unicode buffers,\nstruct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively.\nWhen ustrlen value is bigger than the allocated memory size,\nthe ustrlen value is limited to an safe size."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T16:01:23.267Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/343fe375a8dd6ee51a193a1c233b999f5ea4d479"
        },
        {
          "url": "https://git.kernel.org/stable/c/782acde47e127c98a113726e2ff8024bd65c0454"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3db89ea1ed3d540eebe8f3c36e806fb75ee4a1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b5228964619b180f366940505b77255b1a03929"
        },
        {
          "url": "https://git.kernel.org/stable/c/857aefc70d4ae3b9bf1ae67434d27d0f79f80c9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/bea3e1d4467bcf292c8e54f080353d556d355e26"
        }
      ],
      "title": "hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40082",
    "datePublished": "2025-10-28T11:48:45.975Z",
    "dateReserved": "2025-04-16T07:20:57.161Z",
    "dateUpdated": "2026-05-23T16:01:23.267Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-40082",
      "date": "2026-06-16",
      "epss": "0.0017",
      "percentile": "0.06634"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40082\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-10-28T12:15:42.840\",\"lastModified\":\"2026-02-26T15:51:15.730\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()\\n\\nBUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186\\nRead of size 2 at addr ffff8880289ef218 by task syz.6.248/14290\\n\\nCPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full)\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\nCall Trace:\\n \u003cTASK\u003e\\n __dump_stack lib/dump_stack.c:94 [inline]\\n dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120\\n print_address_description mm/kasan/report.c:378 [inline]\\n print_report+0xca/0x5f0 mm/kasan/report.c:482\\n kasan_report+0xca/0x100 mm/kasan/report.c:595\\n hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186\\n hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738\\n vfs_listxattr+0xbe/0x140 fs/xattr.c:493\\n listxattr+0xee/0x190 fs/xattr.c:924\\n filename_listxattr fs/xattr.c:958 [inline]\\n path_listxattrat+0x143/0x360 fs/xattr.c:988\\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\\n do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\nRIP: 0033:0x7fe0e9fae16d\\nCode: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3\\nRAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d\\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000\\nRBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\\nR13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000\\n \u003c/TASK\u003e\\n\\nAllocated by task 14290:\\n kasan_save_stack+0x24/0x50 mm/kasan/common.c:47\\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\\n kasan_kmalloc include/linux/kasan.h:260 [inline]\\n __do_kmalloc_node mm/slub.c:4333 [inline]\\n __kmalloc_noprof+0x219/0x540 mm/slub.c:4345\\n kmalloc_noprof include/linux/slab.h:909 [inline]\\n hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21\\n hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697\\n vfs_listxattr+0xbe/0x140 fs/xattr.c:493\\n listxattr+0xee/0x190 fs/xattr.c:924\\n filename_listxattr fs/xattr.c:958 [inline]\\n path_listxattrat+0x143/0x360 fs/xattr.c:988\\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\\n do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nWhen hfsplus_uni2asc is called from hfsplus_listxattr,\\nit actually passes in a struct hfsplus_attr_unistr*.\\nThe size of the corresponding structure is different from that of hfsplus_unistr,\\nso the previous fix (94458781aee6) is insufficient.\\nThe pointer on the unicode buffer is still going beyond the allocated memory.\\n\\nThis patch introduces two warpper functions hfsplus_uni2asc_xattr_str and\\nhfsplus_uni2asc_str to process two unicode buffers,\\nstruct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively.\\nWhen ustrlen value is bigger than the allocated memory size,\\nthe ustrlen value is limited to an safe size.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4.297\",\"versionEndExcluding\":\"5.5\",\"matchCriteriaId\":\"6A4268E9-3297-43A5-98D3-25B38D611EF5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.10.241\",\"versionEndExcluding\":\"5.11\",\"matchCriteriaId\":\"FC16C741-04D3-418A-87C6-8EE23F15B67C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.15.190\",\"versionEndExcluding\":\"5.15.200\",\"matchCriteriaId\":\"BACB26C0-32A3-431C-8C20-05421E919125\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1.149\",\"versionEndExcluding\":\"6.1.163\",\"matchCriteriaId\":\"9AE4CF01-A026-40E6-9CD3-0B3B3F59C120\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.6.103\",\"versionEndExcluding\":\"6.6.124\",\"matchCriteriaId\":\"3D083E8E-BC06-4D19-865A-0E07209FE92C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.12.43\",\"versionEndExcluding\":\"6.12.70\",\"matchCriteriaId\":\"45378862-C7D5-4E3F-8568-B4B3F29512C6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.15.11\",\"versionEndExcluding\":\"6.16\",\"matchCriteriaId\":\"53FE35DC-2528-48D7-A855-1127CA02EE4D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.16.2\",\"versionEndExcluding\":\"6.17.3\",\"matchCriteriaId\":\"1707AC6B-1BAE-4AC0-B499-86C29D950613\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/343fe375a8dd6ee51a193a1c233b999f5ea4d479\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5b5228964619b180f366940505b77255b1a03929\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/782acde47e127c98a113726e2ff8024bd65c0454\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/857aefc70d4ae3b9bf1ae67434d27d0f79f80c9e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/bea3e1d4467bcf292c8e54f080353d556d355e26\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c3db89ea1ed3d540eebe8f3c36e806fb75ee4a1e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.