Bug 2363268 (CVE-2025-23150) - CVE-2025-23150 kernel: ext4: fix off-by-one error in do_split
Summary: CVE-2025-23150 kernel: ext4: fix off-by-one error in do_split
Keywords:
Status: NEW
Alias: CVE-2025-23150
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-01 14:01 UTC by OSIDB Bzimport
Modified: 2025-09-24 02:44 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:11245 0 None None None 2025-07-15 21:04:23 UTC
Red Hat Product Errata RHSA-2025:11298 0 None None None 2025-07-16 05:57:57 UTC
Red Hat Product Errata RHSA-2025:11299 0 None None None 2025-07-16 05:45:22 UTC
Red Hat Product Errata RHSA-2025:11571 0 None None None 2025-07-23 00:22:17 UTC
Red Hat Product Errata RHSA-2025:11572 0 None None None 2025-07-23 00:15:27 UTC
Red Hat Product Errata RHSA-2025:12525 0 None None None 2025-08-04 01:48:21 UTC
Red Hat Product Errata RHSA-2025:12526 0 None None None 2025-08-04 01:58:31 UTC
Red Hat Product Errata RHSA-2025:13061 0 None None None 2025-08-05 17:57:55 UTC
Red Hat Product Errata RHSA-2025:13776 0 None None None 2025-08-13 02:41:31 UTC
Red Hat Product Errata RHSA-2025:13805 0 None None None 2025-08-13 15:26:31 UTC
Red Hat Product Errata RHSA-2025:14746 0 None None None 2025-08-27 11:40:46 UTC
Red Hat Product Errata RHSA-2025:14748 0 None None None 2025-08-27 12:39:48 UTC
Red Hat Product Errata RHSA-2025:9302 0 None None None 2025-06-23 00:45:09 UTC
Red Hat Product Errata RHSA-2025:9348 0 None None None 2025-06-23 07:39:03 UTC

Description OSIDB Bzimport 2025-05-01 14:01:22 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ext4: fix off-by-one error in do_split

Syzkaller detected a use-after-free issue in ext4_insert_dentry that was
caused by out-of-bounds access due to incorrect splitting in do_split.

BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847

CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
 ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
 add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154
 make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351
 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455
 ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796
 ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431
 vfs_symlink+0x137/0x2e0 fs/namei.c:4615
 do_symlinkat+0x222/0x3a0 fs/namei.c:4641
 __do_sys_symlink fs/namei.c:4662 [inline]
 __se_sys_symlink fs/namei.c:4660 [inline]
 __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
 </TASK>

The following loop is located right above 'if' statement.

for (i = count-1; i >= 0; i--) {
	/* is more than half of this entry in 2nd half of the block? */
	if (size + map[i].size/2 > blocksize/2)
		break;
	size += map[i].size;
	move++;
}

'i' in this case could go down to -1, in which case sum of active entries
wouldn't exceed half the block size, but previous behaviour would also do
split in half if sum would exceed at the very last block, which in case of
having too many long name files in a single block could lead to
out-of-bounds access and following use-after-free.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Comment 1 Avinash Hanwate 2025-05-02 04:56:58 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025050127-CVE-2025-23150-15b8@gregkh/T
Comment 2 errata-xmlrpc 2025-06-23 00:45:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:9302 https://access.redhat.com/errata/RHSA-2025:9302
Comment 3 errata-xmlrpc 2025-06-23 07:39:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:9348 https://access.redhat.com/errata/RHSA-2025:9348
Comment 4 errata-xmlrpc 2025-07-15 21:04:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:11245 https://access.redhat.com/errata/RHSA-2025:11245
Comment 5 errata-xmlrpc 2025-07-16 05:45:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:11299 https://access.redhat.com/errata/RHSA-2025:11299
Comment 6 errata-xmlrpc 2025-07-16 05:57:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:11298 https://access.redhat.com/errata/RHSA-2025:11298
Comment 9 errata-xmlrpc 2025-07-23 00:15:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:11572 https://access.redhat.com/errata/RHSA-2025:11572
Comment 10 errata-xmlrpc 2025-07-23 00:22:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:11571 https://access.redhat.com/errata/RHSA-2025:11571
Comment 13 errata-xmlrpc 2025-08-04 01:48:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:12525 https://access.redhat.com/errata/RHSA-2025:12525
Comment 14 errata-xmlrpc 2025-08-04 01:58:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:12526 https://access.redhat.com/errata/RHSA-2025:12526
Comment 15 errata-xmlrpc 2025-08-05 17:57:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:13061 https://access.redhat.com/errata/RHSA-2025:13061
Comment 16 errata-xmlrpc 2025-08-13 02:41:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:13776 https://access.redhat.com/errata/RHSA-2025:13776
Comment 18 errata-xmlrpc 2025-08-13 15:26:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2025:13805 https://access.redhat.com/errata/RHSA-2025:13805
Comment 20 errata-xmlrpc 2025-08-27 11:40:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:14746 https://access.redhat.com/errata/RHSA-2025:14746
Comment 21 errata-xmlrpc 2025-08-27 12:39:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:14748 https://access.redhat.com/errata/RHSA-2025:14748
Note You need to log in before you can comment on or make changes to this bug.