CVE-2025-38713

In the Linux kernel, the following vulnerability has been resolved:

hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()

The hfsplusreaddir() method is capable to crash by calling hfsplusuni2asc():

[ 667.121659][ T9805] ================================================================== [ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplusuni2asc+0x902/0xa10 [ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805 [ 667.124578][ T9805] [ 667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full) [ 667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 667.124890][ T9805] Call Trace: [ 667.124893][ T9805] <TASK> [ 667.124896][ T9805] dumpstacklvl+0x10e/0x1f0 [ 667.124911][ T9805] printreport+0xd0/0x660 [ 667.124920][ T9805] ? __virtaddrvalid+0x81/0x610 [ 667.124928][ T9805] ? __physaddr+0xe8/0x180 [ 667.124934][ T9805] ? hfsplusuni2asc+0x902/0xa10 [ 667.124942][ T9805] kasanreport+0xc6/0x100 [ 667.124950][ T9805] ? hfsplusuni2asc+0x902/0xa10 [ 667.124959][ T9805] hfsplusuni2asc+0x902/0xa10 [ 667.124966][ T9805] ? hfsplusbnoderead+0x14b/0x360 [ 667.124974][ T9805] hfsplusreaddir+0x845/0xfc0 [ 667.124984][ T9805] ? __pfxhfsplusreaddir+0x10/0x10 [ 667.124994][ T9805] ? stack_tracesave+0x8e/0xc0 [ 667.125008][ T9805] ? iteratedir+0x18b/0xb20 [ 667.125015][ T9805] ? tracelockacquire+0x85/0xd0 [ 667.125022][ T9805] ? lockacquire+0x30/0x80 [ 667.125029][ T9805] ? iteratedir+0x18b/0xb20 [ 667.125037][ T9805] ? downreadkillable+0x1ed/0x4c0 [ 667.125044][ T9805] ? putname+0x154/0x1a0 [ 667.125051][ T9805] ? __pfxdownreadkillable+0x10/0x10 [ 667.125058][ T9805] ? apparmorfilepermission+0x239/0x3e0 [ 667.125069][ T9805] iteratedir+0x296/0xb20 [ 667.125076][ T9805] __x64sysx64sysgetdents64+0x13c/0x2c0 [ 667.125084][ T9805] ? pfx64sysgetdents64+0x10/0x10 [ 667.125091][ T9805] ? __x64sysopenat+0x141/0x200 [ 667.125126][ T9805] ? __pfxfilldir64+0x10/0x10 [ 667.125134][ T9805] ? douseraddrfault+0x7fe/0x12f0 [ 667.125143][ T9805] do_syscall64+0xc9/0x480 [ 667.125151][ T9805] entrySYSCALL64afterhwframe+0x77/0x7f [ 667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9 [ 667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 [ 667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIGRAX: 00000000000000d9 [ 667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9 [ 667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004 [ 667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110 [ 667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260 [ 667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 667.125207][ T9805] </TASK> [ 667.125210][ T9805] [ 667.145632][ T9805] Allocated by task 9805: [ 667.145991][ T9805] kasansavestack+0x20/0x40 [ 667.146352][ T9805] kasansavetrack+0x14/0x30 [ 667.146717][ T9805] __kasan_kmalloc+0xaa/0xb0 [ 667.147065][ T9805] __kmallocnoprof+0x205/0x550 [ 667.147448][ T9805] hfsplusfindinit+0x95/0x1f0 [ 667.147813][ T9805] hfsplusreaddir+0x220/0xfc0 [ 667.148174][ T9805] iterate_dir+0x296/0xb20 [ 667.148549][ T9805] __x64sysgetdents64+0x13c/0x2c0 [ 667.148937][ T9805] dosyscall64+0xc9/0x480 [ 667.149291][ T9805] entrySYSCALL64afterhwframe+0x77/0x7f [ 667.149809][ T9805] [ 667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000 [ 667.150030][ T9805] which belongs to the cache kmalloc-2k of size 2048 [ 667.151282][ T9805] The buggy address is located 0 bytes to the right of [ 667.151282][ T9805] allocated 1036-byte region [ffff88802592f000, ffff88802592f40c) [ 667.1 ---truncated---