CVE-2025-37739

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-37739
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37739.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-37739
Downstream
Published
2025-05-01T12:55:48.616Z
Modified
2026-03-20T12:42:22.332679Z
Summary
f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()
Details

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid out-of-bounds access in f2fstruncateinode_blocks()

syzbot reports an UBSAN issue as below:

------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10 index 18446744073709550692 is out of range for type '__le32[5]' (aka 'unsigned int[5]') CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0 Call Trace: <TASK> __dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 ubsanepilogue lib/ubsan.c:231 [inline] __ubsanhandleoutofbounds+0x121/0x150 lib/ubsan.c:429 getnid fs/f2fs/node.h:381 [inline] f2fstruncateinodeblocks+0xa5e/0xf60 fs/f2fs/node.c:1181 f2fsdotruncateblocks+0x782/0x1030 fs/f2fs/file.c:808 f2fstruncateblocks+0x10d/0x300 fs/f2fs/file.c:836 f2fstruncate+0x417/0x720 fs/f2fs/file.c:886 f2fsfilewriteiter+0x1bdb/0x2550 fs/f2fs/file.c:5093 aiowrite+0x56b/0x7c0 fs/aio.c:1633 iosubmitone+0x8a7/0x18a0 fs/aio.c:2052 __dosysio_submit fs/aio.c:2111 [inline] _sesysiosubmit+0x171/0x2e0 fs/aio.c:2081 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f238798cde9

index 18446744073709550692 (decimal, unsigned long long) = 0xfffffffffffffc64 (hexadecimal, unsigned long long) = -924 (decimal, long long)

In f2fstruncateinodeblocks(), UBSAN detects that getnid() tries to access .i_nid[-924], it means both offset[0] and level should zero.

The possible case should be in f2fsdotruncateblocks(), we try to truncate inode size to zero, however, dn.ofsinnode is zero and dn.nodepage is not an inode page, so it fails to truncate inode page, and then pass zeroed freefrom to f2fstruncateinodeblocks(), result in this issue.

if (dn.ofs_in_node || IS_INODE(dn.node_page)) {
    f2fs_truncate_data_blocks_range(&dn, count);
    free_from += count;
}

I guess the reason why dn.nodepage is not an inode page could be: there are multiple nat entries share the same node block address, once the node block address was reused, f2fsgetnodepage() may load a non-inode block.

Let's add a sanity check for such condition to avoid out-of-bounds access issue.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37739.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
98e4da8ca301e062d79ae168c67e56f3c3de3ce4
Fixed
a67e1bf03c609a751d1740a1789af25e599966fa
Fixed
67e16ccba74dd8de0a7b10062f1e02d77432f573
Fixed
98dbf2af63de0b551082c9bc48333910e009b09f
Fixed
8b5e5aac44fee122947a269f9034c048e4c295de
Fixed
ecc461331604b07cdbdb7360dbdf78471653264c
Fixed
d7242fd7946d4cba0411effb6b5048ca55125747
Fixed
6ba8b41d0aa4b82f90f0c416cb53fcef9696525d
Fixed
e6494977bd4a83862118a05f57a8df40256951c0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37739.json"