CVE-2025-37780

In the Linux kernel, the following vulnerability has been resolved:

isofs: Prevent the use of too small fid

syzbot reported a slab-out-of-bounds Read in isofsfhto_parent. [1]

The handlebytes value passed in by the reproducing program is equal to 12. In handletopath(), only 12 bytes of memory are allocated for the structure filehandle->fhandle member, which causes an out-of-bounds access when accessing the member parentblock of the structure isofsfid in isofs, because accessing parentblock requires at least 16 bytes of fhandle. Here, fhlen is used to indirectly confirm that the value of handlebytes is greater than 3 before accessing parentblock.

[1] BUG: KASAN: slab-out-of-bounds in isofsfhtoparent+0x1b8/0x210 fs/isofs/export.c:183 Read of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466 CPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: showstack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dumpstack lib/dumpstack.c:94 [inline] dump_stacklvl+0xe4/0x150 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:408 [inline] printreport+0x198/0x550 mm/kasan/report.c:521 kasanreport+0xd8/0x138 mm/kasan/report.c:634 __asanreportload4_noabort+0x20/0x2c mm/kasan/reportgeneric.c:380 isofsfhtoparent+0x1b8/0x210 fs/isofs/export.c:183 exportfsdecodefhraw+0x2dc/0x608 fs/exportfs/expfs.c:523 dohandletopath+0xa0/0x198 fs/fhandle.c:257 handletopath fs/fhandle.c:385 [inline] dohandleopen+0x8cc/0xb8c fs/fhandle.c:403 __dosysopen_byhandleat fs/fhandle.c:443 [inline] __sesysopen_byhandleat fs/fhandle.c:434 [inline] __arm64sysopen_byhandleat+0x80/0x94 fs/fhandle.c:434 __invokesyscall arch/arm64/kernel/syscall.c:35 [inline] invokesyscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0svccommon+0x130/0x23c arch/arm64/kernel/syscall.c:132 doel0svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t64synchandler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t64sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Allocated by task 6466: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x40/0x78 mm/kasan/common.c:68 kasansaveallocinfo+0x40/0x50 mm/kasan/generic.c:562 poisonkmalloc_redzone mm/kasan/common.c:377 [inline] __kasankmalloc+0xac/0xc4 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] __dokmallocnode mm/slub.c:4294 [inline] __kmallocnoprof+0x32c/0x54c mm/slub.c:4306 kmallocnoprof include/linux/slab.h:905 [inline] handletopath fs/fhandle.c:357 [inline] dohandleopen+0x5a4/0xb8c fs/fhandle.c:403 __dosysopen_byhandleat fs/fhandle.c:443 [inline] __sesysopen_byhandleat fs/fhandle.c:434 [inline] __arm64sysopen_byhandleat+0x80/0x94 fs/fhandle.c:434 __invokesyscall arch/arm64/kernel/syscall.c:35 [inline] invokesyscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0svccommon+0x130/0x23c arch/arm64/kernel/syscall.c:132 doel0svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t64synchandler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t64sync+0x198/0x19c arch/arm64/kernel/entry.S:600