CVE-2025-37739 Information
Description
In the Linux kernel the following vulnerability has been resolved:
f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()
syzbot reports an UBSAN issue as below:
————[ cut here ]————
UBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10
index 18446744073709550692 is out of range for type ‘__le32[5]’ (aka ‘unsigned int[5]’)
CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 0
Call Trace:
index 18446744073709550692 (decimal unsigned long long) = 0xfffffffffffffc64 (hexadecimal unsigned long long) = -924 (decimal long long)
In f2fs_truncate_inode_blocks() UBSAN detects that get_nid() tries to access .i_nid[-924] it means both offset[0] and level should zero.
The possible case should be in f2fs_do_truncate_blocks() we try to truncate inode size to zero however dn.ofs_in_node is zero and dn.node_page is not an inode page so it fails to truncate inode page and then pass zeroed free_from to f2fs_truncate_inode_blocks() result in this issue.
if (dn.ofs_in_node || IS_INODE(dn.node_page))
f2fs_truncate_data_blocks_range(&dn count);
free_from += count;
I guess the reason why dn.node_page is not an inode page could be: there are multiple nat entries share the same node block address once the node block address was reused f2fs_get_node_page() may load a non-inode block.
Let’s add a sanity check for such condition to avoid out-of-bounds access issue.
Reference
https://git.kernel.org/stable/c/6ba8b41d0aa4b82f90f0c416cb53fcef9696525d https://git.kernel.org/stable/c/8b5e5aac44fee122947a269f9034c048e4c295de https://git.kernel.org/stable/c/98dbf2af63de0b551082c9bc48333910e009b09f https://git.kernel.org/stable/c/d7242fd7946d4cba0411effb6b5048ca55125747 https://git.kernel.org/stable/c/e6494977bd4a83862118a05f57a8df40256951c0 https://git.kernel.org/stable/c/ecc461331604b07cdbdb7360dbdf78471653264c
Share on: