Bug 2414736 (CVE-2025-40200)

Summary: CVE-2025-40200 kernel: Squashfs: reject negative file sizes in squashfs_read_inode()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
An integer validation issue was found in the Linux kernel's Squashfs filesystem when reading inode metadata. A local user can trigger this issue by mounting a maliciously crafted Squashfs image containing inodes with negative file sizes. When overlayfs attempts to copy up such files, the negative size value causes warnings in the VFS layer and can lead to unexpected behavior, memory corruption, or denial of service through system instability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-11-12 23:03:27 UTC 
In the Linux kernel, the following vulnerability has been resolved:

Squashfs: reject negative file sizes in squashfs_read_inode()

Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs.

This warning is ultimately caused because the underlying Squashfs file
system returns a file with a negative file size.

This commit checks for a negative file size and returns EINVAL.

[phillip.uk: only need to check 64 bit quantity]
Comment 1 Alexander B 2025-11-13 10:53:59 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025111246-CVE-2025-40200-c514@gregkh/T