CVE-2025-40088

In the Linux kernel, the following vulnerability has been resolved:

hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()

The hfsplus_strcasecmp() logic can trigger the issue:

[ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplusstrcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] <TASK> [ 117.319788][ T9855] dumpstack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virtaddrvalid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfxdumpstacklvl+0x10/0x10 [ 117.319808][ T9855] ? rcuiswatching+0x15/0xb0 [ 117.319816][ T9855] ? lockrelease+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasancheckbyte+0x12/0x40 [ 117.319828][ T9855] ? __virtaddrvalid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virtaddrvalid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virtaddrvalid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virtaddrvalid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __physaddr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplusstrcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasanreport+0x147/0x180 [ 117.319882][ T9855] ? hfsplusstrcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfxhfspluscatcasecmpkey+0x10/0x10 [ 117.319906][ T9855] hfsfindrecby_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplusbrecfind+0x18e/0x470 [ 117.319920][ T9855] ? __pfxhfsplusbnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfxhfsfindrecbykey+0x10/0x10 [ 117.319933][ T9855] ? pfxhfsplusbrecfind+0x10/0x10 [ 117.319942][ T9855] hfsplusbrecfind+0x28f/0x510 [ 117.319949][ T9855] ? __pfxhfsfindrecby_key+0x10/0x10 [ 117.319956][ T9855] ? __pfxhfsplusbrec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmallocnoprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplusfindinit+0x8c/0x1d0 [ 117.319976][ T9855] hfsplusbrecread+0x2b/0x120 [ 117.319983][ T9855] hfspluslookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfxhfspluslookup+0x10/0x10 [ 117.320003][ T9855] ? dallocparallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfxdalloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __rawspinlock_init+0x45/0x100 [ 117.320026][ T9855] ? __initwaitqueuehead+0xa9/0x150 [ 117.320034][ T9855] __lookupslow+0x297/0x3d0 [ 117.320039][ T9855] ? pfxlookupslow+0x10/0x10 [ 117.320045][ T9855] ? downread+0x1ad/0x2e0 [ 117.320055][ T9855] lookupslow+0x53/0x70 [ 117.320065][ T9855] walkcomponent+0x2f0/0x430 [ 117.320073][ T9855] pathlookupat+0x169/0x440 [ 117.320081][ T9855] filenamelookup+0x212/0x590 [ 117.320089][ T9855] ? __pfxfilenamelookup+0x10/0x10 [ 117.320098][ T9855] ? strncpyfromuser+0x150/0x290 [ 117.320105][ T9855] ? getnameflags+0x1e5/0x540 [ 117.320112][ T9855] userpath_at+0x3a/0x60 [ 117.320117][ T9855] __x64sysx64sysumount+0xee/0x160 [ 117.320123][ T9855] ? pfx64sysumount+0x10/0x10 [ 117.320129][ T9855] ? dosyscall64+0xb7/0x3a0 [ 117.320135][ T9855] ? entrySYSCALL64afterhwframe+0x77/0x7f [ 117.320141][ T9855] ? entrySYSCALL64afterhwframe+0x77/0x7f [ 117.320145][ T9855] dosyscall64+0xf3/0x3a0 [ 117.320150][ T9855] ? excpagefault+0x9f/0xf0 [ 117.320154][ T9855] entrySYSCALL64afterhwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---