Acknowledged
Created: Jul 28, 2025
Updated: Jul 29, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]Squashfs: check return result of sb_min_blocksize[EOL][EOL]Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug.[EOL][EOL]Syzkaller forks multiple processes which after mounting the Squashfs[EOL]filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000). [EOL]Now if this ioctl occurs at the same time another process is in the[EOL]process of mounting a Squashfs filesystem on /dev/loop0, the failure[EOL]occurs. When this happens the following code in squashfs_fill_super()[EOL]fails.[EOL][EOL]----[EOL]msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);[EOL]msblk->devblksize_log2 = ffz(~msblk->devblksize);[EOL]----[EOL][EOL]sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0.[EOL][EOL]As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2[EOL]is set to 64.[EOL][EOL]This subsequently causes the[EOL][EOL]UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36[EOL]shift exponent 64 is too large for 64-bit type 'u64' (aka[EOL]'unsigned long long')[EOL][EOL]This commit adds a check for a 0 return by sb_min_blocksize().
CREATE(Triage):(User=admin) [CVE-2025-38415 (https://nvd.nist.gov/vuln/detail/CVE-2025-38415)
