Bug 2376072 (CVE-2025-38172) - CVE-2025-38172 kernel: erofs: avoid using multiple devices with different type
Summary: CVE-2025-38172 kernel: erofs: avoid using multiple devices with different type
Keywords:
Status: NEW
Alias: CVE-2025-38172
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-03 09:03 UTC by OSIDB Bzimport
Modified: 2025-07-03 10:14 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2025-07-03 09:03:39 UTC
In the Linux kernel, the following vulnerability has been resolved:

erofs: avoid using multiple devices with different type

For multiple devices, both primary and extra devices should be the
same type. `erofs_init_device` has already guaranteed that if the
primary is a file-backed device, extra devices should also be
regular files.

However, if the primary is a block device while the extra device
is a file-backed device, `erofs_init_device` will get an ENOTBLK,
which is not treated as an error in `erofs_fc_get_tree`, and that
leads to an UAF:

  erofs_fc_get_tree
    get_tree_bdev_flags(erofs_fc_fill_super)
      erofs_read_superblock
        erofs_init_device  // sbi->dif0 is not inited yet,
                           // return -ENOTBLK
      deactivate_locked_super
        free(sbi)
    if (err is -ENOTBLK)
      sbi->dif0.file = filp_open()  // sbi UAF

So if -ENOTBLK is hitted in `erofs_init_device`, it means the
primary device must be a block device, and the extra device
is not a block device. The error can be converted to -EINVAL.

Comment 1 Mauro Matteo Cascella 2025-07-03 10:05:59 UTC
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025070343-CVE-2025-38172-13be@gregkh/T


Note You need to log in before you can comment on or make changes to this bug.