Close Menu

    CVE-2025-37779 – “ERofs Linux Kernel Folio UAF Vulnerability”

    CVE ID : CVE-2025-37779

    Published : May 1, 2025, 2:15 p.m. | 1 hour, 10 minutes ago

    Description : In the Linux kernel, the following vulnerability has been resolved:

    lib/iov_iter: fix to increase non slab folio refcount

    When testing EROFS file-backed mount over v9fs on qemu, I encountered a
    folio UAF issue. The page sanity check reports the following call trace.
    The root cause is that pages in bvec are coalesced across a folio bounary.
    The refcount of all non-slab folios should be increased to ensure
    p9_releas_pages can put them correctly.

    BUG: Bad page state in process md5sum pfn:18300
    page: refcount:0 mapcount:0 mapping:00000000d5ad8e4e index:0x60 pfn:0x18300
    head: order:0 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
    aops:z_erofs_aops ino:30b0f dentry name(?):”GoogleExtServicesCn.apk”
    flags: 0x100000000000041(locked|head|node=0|zone=1)
    raw: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0
    raw: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000
    head: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0
    head: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000
    head: 0100000000000000 0000000000000000 ffffffffffffffff 0000000000000000
    head: 0000000000000010 0000000000000000 00000000ffffffff 0000000000000000
    page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
    Call Trace:
    dump_stack_lvl+0x53/0x70
    bad_page+0xd4/0x220
    __free_pages_ok+0x76d/0xf30
    __folio_put+0x230/0x320
    p9_release_pages+0x179/0x1f0
    p9_virtio_zc_request+0xa2a/0x1230
    p9_client_zc_rpc.constprop.0+0x247/0x700
    p9_client_read_once+0x34d/0x810
    p9_client_read+0xf3/0x150
    v9fs_issue_read+0x111/0x360
    netfs_unbuffered_read_iter_locked+0x927/0x1390
    netfs_unbuffered_read_iter+0xa2/0xe0
    vfs_iocb_iter_read+0x2c7/0x460
    erofs_fileio_rq_submit+0x46b/0x5b0
    z_erofs_runqueue+0x1203/0x21e0
    z_erofs_readahead+0x579/0x8b0
    read_pages+0x19f/0xa70
    page_cache_ra_order+0x4ad/0xb80
    filemap_readahead.isra.0+0xe7/0x150
    filemap_get_pages+0x7aa/0x1890
    filemap_read+0x320/0xc80
    vfs_read+0x6c6/0xa30
    ksys_read+0xf9/0x1c0
    do_syscall_64+0x9e/0x1a0
    entry_SYSCALL_64_after_hwframe+0x71/0x79

    Severity: 0.0 | NA

    Visit the link for more details, such as CVSS details, affected products, timeline, and more…

    Source: Read More

    Related Posts

    Leave A Reply

    For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.