CVE-2025-38221
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38221
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38221.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38221
- Downstream
- Published
- 2025-07-04T13:37:37.248Z
- Modified
- 2025-12-02T13:41:54.912799Z
- Summary
- ext4: fix out of bounds punch offset
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix out of bounds punch offset
Punching a hole with a start offset that exceeds maxend is not permitted and will result in a negative length in the truncateinodepartialfolio() function while truncating the page cache, potentially leading to undesirable consequences.
A simple reproducer:
truncate -s 9895604649994 /mnt/foo xfsio -c "pwrite 8796093022208 4096" /mnt/foo xfsio -c "fpunch 8796093022213 25769803777" /mnt/foo
kernel BUG at include/linux/highmem.h:275! Oops: invalid opcode: 0000 [#1] SMP PTI CPU: 3 UID: 0 PID: 710 Comm: xfsio Not tainted 6.15.0-rc3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:zerousersegments.constprop.0+0xd7/0x110 RSP: 0018:ffffc90001cf3b38 EFLAGS: 00010287 RAX: 0000000000000005 RBX: ffffea0001485e40 RCX: 0000000000001000 RDX: 000000000040b000 RSI: 0000000000000005 RDI: 000000000040b000 RBP: 000000000040affb R08: ffff888000000000 R09: ffffea0000000000 R10: 0000000000000003 R11: 00000000fffc7fc5 R12: 0000000000000005 R13: 000000000040affb R14: ffffea0001485e40 R15: ffff888031cd3000 FS: 00007f4f63d0b780(0000) GS:ffff8880d337d000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000001ae0b038 CR3: 00000000536aa000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> truncateinodepartialfolio+0x3dd/0x620 truncateinodepagesrange+0x226/0x720 ? bdevgetblk+0x52/0x3e0 ? ext4getgroupdesc+0x78/0x150 ? crc32carch+0xfd/0x180 ? _ext4getinodeloc+0x18c/0x840 ? ext4inodecsum+0x117/0x160 ? jbd2journaldirtymetadata+0x61/0x390 ? _ext4handledirtymetadata+0xa0/0x2b0 ? kmemcachefree+0x90/0x5a0 ? jbd2journalstop+0x1d5/0x550 ? _ext4journalstop+0x49/0x100 truncatepagecacherange+0x50/0x80 ext4truncatepagecacheblockrange+0x57/0x3a0 ext4punchhole+0x1fe/0x670 ext4fallocate+0x792/0x17d0 ? _countmemcgevents+0x175/0x2a0 vfsfallocate+0x121/0x560 ksysfallocate+0x51/0xc0 _x64sysfallocate+0x24/0x40 x64syscall+0x18d2/0x4170 dosyscall64+0xa7/0x220 entrySYSCALL64afterhwframe+0x76/0x7e
Fix this by filtering out cases where the punching start offset exceeds max_end.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38221.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/28b62cb58fd014338f5004170f2e3a35bf0af238
- https://git.kernel.org/stable/c/a4d60ba277ecd8a98c5a593cbc0ef2237c20a541
- https://git.kernel.org/stable/c/b5e58bcd79625423487fa3ecba8e8411b5396327
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38221.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-38221
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced33f61ecabb10098b63dad3b729552779379f900dFixeda4d60ba277ecd8a98c5a593cbc0ef2237c20a541
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced982bf37da09d078570650b691d9084f43805a5deFixed28b62cb58fd014338f5004170f2e3a35bf0af238Fixedb5e58bcd79625423487fa3ecba8e8411b5396327