{"id":72505,"date":"2025-10-28T13:45:40","date_gmt":"2025-10-28T10:15:40","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-40025-f2fs-fix-to-do-sanity-check-on-node-footer-for-non-inode-dnode\/"},"modified":"2025-10-28T13:45:40","modified_gmt":"2025-10-28T10:15:40","slug":"cve-2025-40025-f2fs-fix-to-do-sanity-check-on-node-footer-for-non-inode-dnode","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-40025-f2fs-fix-to-do-sanity-check-on-node-footer-for-non-inode-dnode\/","title":{"rendered":"CVE-2025-40025 &#8211; f2fs: fix to do sanity check on node footer for non inode dnode"},"content":{"rendered":"<p>CVE ID : CVE-2025-40025<\/p>\n<p>Published :  28. Oktober 2025 10:15 | 29\u00a0Minuten ago<\/p>\n<p>Description : In the Linux kernel, the following vulnerability has been resolved:<\/p>\n<p>f2fs: fix to do sanity check on node footer for non inode dnode<\/p>\n<p>As syzbot reported below:<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;[ cut here ]&#8212;&#8212;&#8212;&#8212;<br \/>\nkernel BUG at fs\/f2fs\/file.c:1243!<br \/>\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI<br \/>\nCPU: 0 UID: 0 PID: 5354 Comm: syz.0.0 Not tainted 6.17.0-rc1-syzkaller-00211-g90d970cade8e #0 PREEMPT(full)<br \/>\nRIP: 0010:f2fs_truncate_hole+0x69e\/0x6c0 fs\/f2fs\/file.c:1243<br \/>\nCall Trace:<\/p>\n<p> f2fs_punch_hole+0x2db\/0x330 fs\/f2fs\/file.c:1306<br \/>\n f2fs_fallocate+0x546\/0x990 fs\/f2fs\/file.c:2018<br \/>\n vfs_fallocate+0x666\/0x7e0 fs\/open.c:342<br \/>\n ksys_fallocate fs\/open.c:366 [inline]\n __do_sys_fallocate fs\/open.c:371 [inline]\n __se_sys_fallocate fs\/open.c:369 [inline]\n __x64_sys_fallocate+0xc0\/0x110 fs\/open.c:369<br \/>\n do_syscall_x64 arch\/x86\/entry\/syscall_64.c:63 [inline]\n do_syscall_64+0xfa\/0x3b0 arch\/x86\/entry\/syscall_64.c:94<br \/>\n entry_SYSCALL_64_after_hwframe+0x77\/0x7f<br \/>\nRIP: 0033:0x7f1e65f8ebe9<\/p>\n<p>w\/ a fuzzed image, f2fs may encounter panic due to it detects inconsistent<br \/>\ntruncation range in direct node in f2fs_truncate_hole().<\/p>\n<p>The root cause is: a non-inode dnode may has the same footer.ino and<br \/>\nfooter.nid, so the dnode will be parsed as an inode, then ADDRS_PER_PAGE()<br \/>\nmay return wrong blkaddr count which may be 923 typically, by chance,<br \/>\ndn.ofs_in_node is equal to 923, then count can be calculated to 0 in below<br \/>\nstatement, later it will trigger panic w\/ f2fs_bug_on(, count == 0 || &#8230;).<\/p>\n<p>\tcount = min(end_offset &#8211; dn.ofs_in_node, pg_end &#8211; pg_start);<\/p>\n<p>This patch introduces a new node_type NODE_TYPE_NON_INODE, then allowing<br \/>\npassing the new_type to sanity_check_node_footer in f2fs_get_node_folio()<br \/>\nto detect corruption that a non-inode dnode has the same footer.ino and<br \/>\nfooter.nid.<\/p>\n<p>Scripts to reproduce:<br \/>\nmkfs.f2fs -f \/dev\/vdb<br \/>\nmount \/dev\/vdb \/mnt\/f2fs<br \/>\ntouch \/mnt\/f2fs\/foo<br \/>\ntouch \/mnt\/f2fs\/bar<br \/>\ndd if=\/dev\/zero of=\/mnt\/f2fs\/foo bs=1M count=8<br \/>\numount \/mnt\/f2fs<br \/>\ninject.f2fs &#8211;node &#8211;mb i_nid &#8211;nid 4 &#8211;idx 0 &#8211;val 5 \/dev\/vdb<br \/>\nmount \/dev\/vdb \/mnt\/f2fs<br \/>\nxfs_io \/mnt\/f2fs\/foo -c &#8220;fpunch 6984k 4k&#8221;<\/p>\n<p>Severity: 0.0 | NA<\/p>\n<p>Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2025-40025 Published : 28. Oktober 2025 10:15 | 29\u00a0Minuten ago Description : In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on node footer for non inode dnode As syzbot reported below: &#8212;&#8212;&#8212;&#8212;[ cut here ]&#8212;&#8212;&#8212;&#8212; kernel BUG at fs\/f2fs\/file.c:1243! Oops: invalid opcode: 0000 [#1] &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-72505","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/72505","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=72505"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/72505\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=72505"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=72505"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=72505"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}