DEBIAN-CVE-2025-40349

In the Linux kernel, the following vulnerability has been resolved: hfs: validate record offset in hfsplusbmapalloc hfsplusbmapalloc can trigger a crash if a record offset or length is larger than nodesize [ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplusbmapalloc+0x887/0x8b0 [ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183 [ 15.265949] [ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary) [ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.266167] Call Trace: [ 15.266168] <TASK> [ 15.266169] dumpstacklvl+0x53/0x70 [ 15.266173] printreport+0xd0/0x660 [ 15.266181] kasanreport+0xce/0x100 [ 15.266185] hfsplusbmapalloc+0x887/0x8b0 [ 15.266208] hfsbtreeincheight.isra.0+0xd5/0x7c0 [ 15.266217] hfsplusbrecinsert+0x870/0xb00 [ 15.266222] _hfsplusextwriteextent+0x428/0x570 [ 15.266225] _hfsplusextcacheextent+0x5e/0x910 [ 15.266227] hfsplusextreadextent+0x1b2/0x200 [ 15.266233] hfsplusfileextend+0x5a7/0x1000 [ 15.266237] hfsplusgetblock+0x12b/0x8c0 [ 15.266238] _blockwritebeginint+0x36b/0x12c0 [ 15.266251] blockwritebegin+0x77/0x110 [ 15.266252] contwritebegin+0x428/0x720 [ 15.266259] hfspluswritebegin+0x51/0x100 [ 15.266262] contwritebegin+0x272/0x720 [ 15.266270] hfspluswritebegin+0x51/0x100 [ 15.266274] genericperformwrite+0x321/0x750 [ 15.266285] genericfilewriteiter+0xc3/0x310 [ 15.266289] _kernelwriteiter+0x2fd/0x800 [ 15.266296] dumpuserrange+0x2ea/0x910 [ 15.266301] elfcoredump+0x2a94/0x2ed0 [ 15.266320] vfscoredump+0x1d85/0x45e0 [ 15.266349] getsignal+0x12e3/0x1990 [ 15.266357] archdosignalorrestart+0x89/0x580 [ 15.266362] irqentryexittousermode+0xab/0x110 [ 15.266364] asmexcpagefault+0x26/0x30 [ 15.266366] RIP: 0033:0x41bd35 [ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f [ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283 [ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000 [ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100 [ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000 [ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000 [ 15.266376] </TASK> When calling hfsplusbmapalloc to allocate a free node, this function first retrieves the bitmap from header node and map node using node->page together with the offset and length from hfsbreclenoff len = hfs_brec_lenoff(node, 2, &off16); off = off16; off += node->page_offset; pagep = node->page + (off >> PAGE_SHIFT); data = kmap_local_page(*pagep); However, if the retrieved offset or length is invalid(i.e. exceeds nodesize), the code may end up accessing pages outside the allocated range for this node. This patch adds proper validation of both offset and length before use, preventing out-of-bounds page access. Move isbnodeoffsetvalid and checkandcorrectrequestedlength to hfsplus_fs.h, as they may be required by other functions.