CVE ID : CVE-2025-40082<\/p>\n
Published : Oct. 28, 2025, 12:15 p.m. | 29\u00a0minutes ago<\/p>\n
Description : In the Linux kernel, the following vulnerability has been resolved:<\/p>\n
hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()<\/p>\n
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71\/0xb90 fs\/hfsplus\/unicode.c:186
\nRead of size 2 at addr ffff8880289ef218 by task syz.6.248\/14290<\/p>\n
CPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full)
\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04\/01\/2014
\nCall Trace:<\/p>\n
__dump_stack lib\/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116\/0x1b0 lib\/dump_stack.c:120
\n print_address_description mm\/kasan\/report.c:378 [inline]\n print_report+0xca\/0x5f0 mm\/kasan\/report.c:482
\n kasan_report+0xca\/0x100 mm\/kasan\/report.c:595
\n hfsplus_uni2asc+0xa71\/0xb90 fs\/hfsplus\/unicode.c:186
\n hfsplus_listxattr+0x5b6\/0xbd0 fs\/hfsplus\/xattr.c:738
\n vfs_listxattr+0xbe\/0x140 fs\/xattr.c:493
\n listxattr+0xee\/0x190 fs\/xattr.c:924
\n filename_listxattr fs\/xattr.c:958 [inline]\n path_listxattrat+0x143\/0x360 fs\/xattr.c:988
\n do_syscall_x64 arch\/x86\/entry\/syscall_64.c:63 [inline]\n do_syscall_64+0xcb\/0x4c0 arch\/x86\/entry\/syscall_64.c:94
\n entry_SYSCALL_64_after_hwframe+0x77\/0x7f
\nRIP: 0033:0x7fe0e9fae16d
\nCode: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
\nRSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3
\nRAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d
\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000
\nRBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000
\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
\nR13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000<\/p>\n
Allocated by task 14290:
\n kasan_save_stack+0x24\/0x50 mm\/kasan\/common.c:47
\n kasan_save_track+0x14\/0x30 mm\/kasan\/common.c:68
\n poison_kmalloc_redzone mm\/kasan\/common.c:377 [inline]\n __kasan_kmalloc+0xaa\/0xb0 mm\/kasan\/common.c:394
\n kasan_kmalloc include\/linux\/kasan.h:260 [inline]\n __do_kmalloc_node mm\/slub.c:4333 [inline]\n __kmalloc_noprof+0x219\/0x540 mm\/slub.c:4345
\n kmalloc_noprof include\/linux\/slab.h:909 [inline]\n hfsplus_find_init+0x95\/0x1f0 fs\/hfsplus\/bfind.c:21
\n hfsplus_listxattr+0x331\/0xbd0 fs\/hfsplus\/xattr.c:697
\n vfs_listxattr+0xbe\/0x140 fs\/xattr.c:493
\n listxattr+0xee\/0x190 fs\/xattr.c:924
\n filename_listxattr fs\/xattr.c:958 [inline]\n path_listxattrat+0x143\/0x360 fs\/xattr.c:988
\n do_syscall_x64 arch\/x86\/entry\/syscall_64.c:63 [inline]\n do_syscall_64+0xcb\/0x4c0 arch\/x86\/entry\/syscall_64.c:94
\n entry_SYSCALL_64_after_hwframe+0x77\/0x7f<\/p>\n
When hfsplus_uni2asc is called from hfsplus_listxattr,
\nit actually passes in a struct hfsplus_attr_unistr*.
\nThe size of the corresponding structure is different from that of hfsplus_unistr,
\nso the previous fix (94458781aee6) is insufficient.
\nThe pointer on the unicode buffer is still going beyond the allocated memory.<\/p>\n
This patch introduces two warpper functions hfsplus_uni2asc_xattr_str and
\nhfsplus_uni2asc_str to process two unicode buffers,
\nstruct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively.
\nWhen ustrlen value is bigger than the allocated memory size,
\nthe ustrlen value is limited to an safe size.<\/p>\n
Severity: 0.0 | NA<\/p>\n
Visit the link for more details, such as CVSS details, affected products, timeline, and more…\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"
CVE ID : CVE-2025-40082 Published : Oct. 28, 2025, 12:15 p.m. | 29\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71\/0xb90 fs\/hfsplus\/unicode.c:186 Read of size 2 at addr ffff8880289ef218 by task syz.6.248\/14290 CPU: 0 UID: 0 PID: 14290 Comm: …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-72509","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/72509","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=72509"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/72509\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=72509"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=72509"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=72509"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}