logo_clicknbuy.png

CVE-2025-37779 – “ERofs Linux Kernel Folio UAF Vulnerability”

The following table lists the changes that have been made to the
CVE-2025-37779 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received
    by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 01, 2025

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved:

    lib/iov_iter: fix to increase non slab folio refcount

    When testing EROFS file-backed mount over v9fs on qemu, I encountered a
    folio UAF issue. The page sanity check reports the following call trace.
    The root cause is that pages in bvec are coalesced across a folio bounary.
    The refcount of all non-slab folios should be increased to ensure
    p9_releas_pages can put them correctly.

    BUG: Bad page state in process md5sum pfn:18300
    page: refcount:0 mapcount:0 mapping:00000000d5ad8e4e index:0x60 pfn:0x18300
    head: order:0 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
    aops:z_erofs_aops ino:30b0f dentry name(?):”GoogleExtServicesCn.apk”
    flags: 0x100000000000041(locked|head|node=0|zone=1)
    raw: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0
    raw: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000
    head: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0
    head: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000
    head: 0100000000000000 0000000000000000 ffffffffffffffff 0000000000000000
    head: 0000000000000010 0000000000000000 00000000ffffffff 0000000000000000
    page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
    Call Trace:
    dump_stack_lvl+0x53/0x70
    bad_page+0xd4/0x220
    __free_pages_ok+0x76d/0xf30
    __folio_put+0x230/0x320
    p9_release_pages+0x179/0x1f0
    p9_virtio_zc_request+0xa2a/0x1230
    p9_client_zc_rpc.constprop.0+0x247/0x700
    p9_client_read_once+0x34d/0x810
    p9_client_read+0xf3/0x150
    v9fs_issue_read+0x111/0x360
    netfs_unbuffered_read_iter_locked+0x927/0x1390
    netfs_unbuffered_read_iter+0xa2/0xe0
    vfs_iocb_iter_read+0x2c7/0x460
    erofs_fileio_rq_submit+0x46b/0x5b0
    z_erofs_runqueue+0x1203/0x21e0
    z_erofs_readahead+0x579/0x8b0
    read_pages+0x19f/0xa70
    page_cache_ra_order+0x4ad/0xb80
    filemap_readahead.isra.0+0xe7/0x150
    filemap_get_pages+0x7aa/0x1890
    filemap_read+0x320/0xc80
    vfs_read+0x6c6/0xa30
    ksys_read+0xf9/0x1c0
    do_syscall_64+0x9e/0x1a0
    entry_SYSCALL_64_after_hwframe+0x71/0x79
    Added Reference https://git.kernel.org/stable/c/770c8d55c42868239c748a3ebc57c9e37755f842
    Added Reference https://git.kernel.org/stable/c/d833f21162c4d536d729628f8cf1ee8d4110f2b7
Share the Post:

Related Posts