Bug 2418837 (CVE-2025-40241) - CVE-2025-40241 kernel: erofs: fix crafted invalid cases for encoded extents
Summary: CVE-2025-40241 kernel: erofs: fix crafted invalid cases for encoded extents
Keywords:
Status: NEW
Alias: CVE-2025-40241
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-04 16:03 UTC by OSIDB Bzimport
Modified: 2025-12-19 12:45 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-04 16:03:25 UTC 
In the Linux kernel, the following vulnerability has been resolved:

erofs: fix crafted invalid cases for encoded extents

Robert recently reported two corrupted images that can cause system
crashes, which are related to the new encoded extents introduced
in Linux 6.15:

  - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but
    (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent
    special extents such as sparse extents (!EROFS_MAP_MAPPED), but
    previously only plen == 0 was handled;

  - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000,
    then "cur [0xfffffffffffff000] += bvec.bv_len [0x1000]" in
    "} while ((cur += bvec.bv_len) < end);" wraps around, causing an
    out-of-bound access of pcl->compressed_bvecs[] in
    z_erofs_submit_queue().  EROFS only supports 48-bit physical block
    addresses (up to 1EiB for 4k blocks), so add a sanity check to
    enforce this.
Comment 1 Alexander B 2025-12-05 15:14:05 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025120403-CVE-2025-40241-c6ed@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.