CVE-2025-37785: Vulnerability in Linux Linux

Severity: highType: vulnerabilityCVE-2025-37785

In the Linux kernel, the following vulnerability has been resolved: ext4: fix OOB read when checking dotdot dir Mounting a corrupted filesystem with directory which contains '.' dir entry with rec_len == block size results in out-of-bounds read (later on, when the corrupted directory is removed). ext4_empty_dir() assumes every ext4 directory contains at least '.' and '..' as directory entries in the first data block. It first loads the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry() and then uses its rec_len member to compute the location of '..' dir entry (in ext4_next_entry). It assumes the '..' dir entry fits into the same data block. If the rec_len of '.' is precisely one block (4KB), it slips through the sanity checks (it is considered the last directory entry in the data block) and leaves "struct ext4_dir_entry_2 *de" point exactly past the memory slot allocated to the data block. The following call to ext4_check_dir_entry() on new value of de then dereferences this pointer which results in out-of-bounds mem access. Fix this by extending __ext4_check_dir_entry() to check for '.' dir entries that reach the end of data block. Make sure to ignore the phony dir entries for checksum (by checking name_len for non-zero). Note: This is reported by KASAN as use-after-free in case another structure was recently freed from the slot past the bound, but it is really an OOB read. This issue was found by syzkaller tool. Call Trace: [ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710 [ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375 [ 38.595158] [ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1 [ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 38.595304] Call Trace: [ 38.595308] <TASK> [ 38.595311] dump_stack_lvl+0xa7/0xd0 [ 38.595325] print_address_description.constprop.0+0x2c/0x3f0 [ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595349] print_report+0xaa/0x250 [ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595368] ? kasan_addr_to_slab+0x9/0x90 [ 38.595378] kasan_report+0xab/0xe0 [ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595400] __ext4_check_dir_entry+0x67e/0x710 [ 38.595410] ext4_empty_dir+0x465/0x990 [ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10 [ 38.595432] ext4_rmdir.part.0+0x29a/0xd10 [ 38.595441] ? __dquot_initialize+0x2a7/0xbf0 [ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10 [ 38.595464] ? __pfx___dquot_initialize+0x10/0x10 [ 38.595478] ? down_write+0xdb/0x140 [ 38.595487] ? __pfx_down_write+0x10/0x10 [ 38.595497] ext4_rmdir+0xee/0x140 [ 38.595506] vfs_rmdir+0x209/0x670 [ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190 [ 38.595529] do_rmdir+0x363/0x3c0 [ 38.595537] ? __pfx_do_rmdir+0x10/0x10 [ 38.595544] ? strncpy_from_user+0x1ff/0x2e0 [ 38.595561] __x64_sys_unlinkat+0xf0/0x130 [ 38.595570] do_syscall_64+0x5b/0x180 [ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e

AI Analysis

Technical Summary

CVE-2025-37785 is a vulnerability in the Linux kernel's ext4 filesystem implementation, specifically related to directory entry parsing during filesystem mounting and directory removal operations. The flaw arises when mounting a corrupted ext4 filesystem containing a directory with a '.' entry whose record length (rec_len) is exactly equal to the block size (typically 4KB). The ext4_empty_dir() function assumes that every directory contains at least '.' and '..' entries within the first data block and uses the rec_len of '.' to locate the '..' entry. However, if '.' has a rec_len equal to the block size, it passes sanity checks incorrectly, causing the pointer for the '..' entry to point just beyond the allocated memory block. Subsequent dereferencing of this pointer leads to an out-of-bounds (OOB) read. This OOB read can result in undefined behavior, including potential kernel crashes or information disclosure. The issue was detected by the syzkaller fuzzing tool and reported as a use-after-free by KASAN, though it is fundamentally an OOB read. The vulnerability is triggered during mounting or when removing the corrupted directory, involving functions ext4_empty_dir() and ext4_rmdir(). The root cause is insufficient validation of directory entry boundaries in ext4_check_dir_entry(), which has been addressed by adding checks to detect '.' entries that extend to the end of the data block and ignoring phony entries used for checksumming. This vulnerability affects Linux kernel versions including commit ac27a0ec112a089f1a5102bc8dffc79c8c815571 and likely others around that timeframe. No known exploits are reported in the wild as of publication. The vulnerability requires a specially crafted corrupted ext4 filesystem image to trigger, implying an attacker needs to supply or mount such a filesystem to exploit it. The impact is primarily on kernel stability and potential information leakage due to OOB reads during filesystem operations.

Potential Impact

For European organizations, this vulnerability poses a risk primarily to systems running Linux with ext4 filesystems, which is the default filesystem for many Linux distributions widely used in enterprise, government, and cloud environments across Europe. The OOB read could lead to kernel crashes (denial of service) or potentially expose sensitive kernel memory contents, risking confidentiality breaches. Systems that mount external or untrusted ext4 filesystems, such as removable media, network shares, or virtual machine disk images, are particularly at risk. This could affect servers, desktops, embedded devices, and cloud infrastructure. Disruption of critical services due to kernel panics or crashes could impact business continuity, especially in sectors like finance, healthcare, telecommunications, and public administration. Although exploitation requires mounting a corrupted filesystem, the complexity is moderate for attackers with local or physical access or those able to convince users or administrators to mount malicious filesystems. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent future exploitation. The vulnerability does not directly allow privilege escalation or remote code execution but could be leveraged as part of a multi-stage attack chain. Overall, the impact on confidentiality, integrity, and availability is significant enough to warrant urgent mitigation in European organizations relying on Linux ext4 filesystems.

Mitigation Recommendations

1. Apply the official Linux kernel patches that fix this vulnerability as soon as they become available from trusted sources or Linux distribution vendors. 2. Avoid mounting untrusted or suspicious ext4 filesystems, especially those received from external or unknown sources, until patched. 3. Implement strict controls and validation on removable media and network-shared filesystems to prevent mounting of corrupted or malicious ext4 images. 4. Use filesystem integrity checking tools to detect and quarantine corrupted ext4 filesystems before mounting. 5. For virtualized environments, ensure that virtual disk images are scanned and validated prior to use. 6. Employ kernel hardening and runtime protection mechanisms such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues early. 7. Monitor system logs for kernel warnings or crashes related to ext4 operations that could indicate attempted exploitation. 8. Educate system administrators about the risks of mounting untrusted filesystems and enforce policies restricting such actions. 9. Consider deploying layered security controls such as SELinux or AppArmor profiles to limit the impact of kernel-level faults. 10. Maintain up-to-date backups and disaster recovery plans to mitigate potential service disruptions caused by kernel crashes.