CVE-2025-37738

In the Linux kernel, the following vulnerability has been resolved:

ext4: ignore xattrs past end

Once inside 'ext4xattrinodedecref_all' we should ignore xattrs entries past the 'end' entry.

This fixes the following KASAN reported issue:

================================================================== BUG: KASAN: slab-use-after-free in ext4xattrinodedecref_all+0xb8c/0xe90 Read of size 4 at addr ffff888012c120c4 by task repro/2065

CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x1fd/0x300 ? tcpgrodevwarn+0x260/0x260 ? _printk+0xc0/0x100 ? readlockisrecursive+0x10/0x10 ? irqworkqueue+0x72/0xf0 ? _virtaddrvalid+0x17b/0x4b0 printaddressdescription+0x78/0x390 printreport+0x107/0x1f0 ? _virtaddrvalid+0x17b/0x4b0 ? _virtaddrvalid+0x3ff/0x4b0 ? _physaddr+0xb5/0x160 ? ext4xattrinodedecrefall+0xb8c/0xe90 kasanreport+0xcc/0x100 ? ext4xattrinodedecrefall+0xb8c/0xe90 ext4xattrinodedecrefall+0xb8c/0xe90 ? ext4xattrdeleteinode+0xd30/0xd30 ? _ext4journalensurecredits+0x5f0/0x5f0 ? _ext4journalensurecredits+0x2b/0x5f0 ? inodeupdatetimestamps+0x410/0x410 ext4xattrdeleteinode+0xb64/0xd30 ? ext4truncate+0xb70/0xdc0 ? ext4expandextraisizeea+0x1d20/0x1d20 ? _ext4markinodedirty+0x670/0x670 ? ext4journalcheckstart+0x16f/0x240 ? ext4inodeisfastsymlink+0x2f2/0x3a0 ext4evictinode+0xc8c/0xff0 ? ext4inodeisfastsymlink+0x3a0/0x3a0 ? dorawspinunlock+0x53/0x8a0 ? ext4inodeisfastsymlink+0x3a0/0x3a0 evict+0x4ac/0x950 ? procnrinodes+0x310/0x310 ? traceext4dropinode+0xa2/0x220 ? rawspinunlock+0x1a/0x30 ? iput+0x4cb/0x7e0 dounlinkat+0x495/0x7c0 ? trybreakdeleg+0x120/0x120 ? 0xffffffff81000000 ? _checkobjectsize+0x15a/0x210 ? strncpyfromuser+0x13e/0x250 ? getnameflags+0x1dc/0x530 _x64sysunlinkat+0xc8/0xf0 dosyscall64+0x65/0x110 entrySYSCALL64afterhwframe+0x67/0x6f RIP: 0033:0x434ffd Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8 RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIGRAX: 0000000000000107 RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001 </TASK>

The buggy address belongs to the object at ffff888012c12000 which belongs to the cache filp of size 360 The buggy address is located 196 bytes inside of freed 360-byte region [ffff888012c12000, ffff888012c12168)

The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12 head: order:1 mapcount:0 entiremapcount:0 nrpagesmapped:0 pincount:0 flags: 0x40(head|node=0|zone=0) pagetype: f5(slab) raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888012c12180: fc fc fc fc fc fc fc fc fc ---truncated---