GHSA-7V4M-QG52-MXG3

Vulnerability from github – Published: 2025-11-13 00:30 – Updated: 2025-11-13 00:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: avoid potential out-of-bounds in btrfs_encode_fh()

The function btrfs_encode_fh() does not properly account for the three cases it handles.

Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).

However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT (10 dwords, 40 bytes).

If *max_len is not large enough, this write goes out of bounds because BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than BTRFS_FID_SIZE_CONNECTABLE originally returned.

This results in an 8-byte out-of-bounds write at fid->parent_root_objectid = parent_root_id.

A previous attempt to fix this issue was made but was lost.

https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/

Although this issue does not seem to be easily triggerable, it is a potential memory corruption bug that should be fixed. This patch resolves the issue by ensuring the function returns the appropriate size for all three cases and validates that *max_len is large enough before writing any data.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-40205"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T22:15:47Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: avoid potential out-of-bounds in btrfs_encode_fh()\n\nThe function btrfs_encode_fh() does not properly account for the three\ncases it handles.\n\nBefore writing to the file handle (fh), the function only returns to the\nuser BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or\nBTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).\n\nHowever, when a parent exists and the root ID of the parent and the\ninode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT\n(10 dwords, 40 bytes).\n\nIf *max_len is not large enough, this write goes out of bounds because\nBTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than\nBTRFS_FID_SIZE_CONNECTABLE originally returned.\n\nThis results in an 8-byte out-of-bounds write at\nfid-\u003eparent_root_objectid = parent_root_id.\n\nA previous attempt to fix this issue was made but was lost.\n\nhttps://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/\n\nAlthough this issue does not seem to be easily triggerable, it is a\npotential memory corruption bug that should be fixed. This patch\nresolves the issue by ensuring the function returns the appropriate size\nfor all three cases and validates that *max_len is large enough before\nwriting any data.",
  "id": "GHSA-7v4m-qg52-mxg3",
  "modified": "2025-11-13T00:30:18Z",
  "published": "2025-11-13T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40205"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0276c8582488022f057b4cec21975a5edf079f47"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/361d67276eb8ec6be8f27f4ad6c6090459438fee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/43143776b0a7604d873d1a6f3e552a00aa930224"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/742b44342204e5dfe3926433823623c1a0c581df"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3a9a8e1275eb9b87f006b5562a287aea3f6885f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d91f6626133698362bba08fbc04bd72c466806d3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dff4f9ff5d7f289e4545cc936362e01ed3252742"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.