Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()[EOL][EOL]The hfsplus_readdir() method is capable to crash by calling[EOL]hfsplus_uni2asc():[EOL][EOL][  667.121659][ T9805] ==================================================================[EOL][  667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10[EOL][  667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805[EOL][  667.124578][ T9805][EOL][  667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full)[EOL][  667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014[EOL][  667.124890][ T9805] Call Trace:[EOL][  667.124893][ T9805]  <TASK>[EOL][  667.124896][ T9805]  dump_stack_lvl+0x10e/0x1f0[EOL][  667.124911][ T9805]  print_report+0xd0/0x660[EOL][  667.124920][ T9805]  ? __virt_addr_valid+0x81/0x610[EOL][  667.124928][ T9805]  ? __phys_addr+0xe8/0x180[EOL][  667.124934][ T9805]  ? hfsplus_uni2asc+0x902/0xa10[EOL][  667.124942][ T9805]  kasan_report+0xc6/0x100[EOL][  667.124950][ T9805]  ? hfsplus_uni2asc+0x902/0xa10[EOL][  667.124959][ T9805]  hfsplus_uni2asc+0x902/0xa10[EOL][  667.124966][ T9805]  ? hfsplus_bnode_read+0x14b/0x360[EOL][  667.124974][ T9805]  hfsplus_readdir+0x845/0xfc0[EOL][  667.124984][ T9805]  ? __pfx_hfsplus_readdir+0x10/0x10[EOL][  667.124994][ T9805]  ? stack_trace_save+0x8e/0xc0[EOL][  667.125008][ T9805]  ? iterate_dir+0x18b/0xb20[EOL][  667.125015][ T9805]  ? trace_lock_acquire+0x85/0xd0[EOL][  667.125022][ T9805]  ? lock_acquire+0x30/0x80[EOL][  667.125029][ T9805]  ? iterate_dir+0x18b/0xb20[EOL][  667.125037][ T9805]  ? down_read_killable+0x1ed/0x4c0[EOL][  667.125044][ T9805]  ? putname+0x154/0x1a0[EOL][  667.125051][ T9805]  ? __pfx_down_read_killable+0x10/0x10[EOL][  667.125058][ T9805]  ? apparmor_file_permission+0x239/0x3e0[EOL][  667.125069][ T9805]  iterate_dir+0x296/0xb20[EOL][  667.125076][ T9805]  __x64_sys_getdents64+0x13c/0x2c0[EOL][  667.125084][ T9805]  ? __pfx___x64_sys_getdents64+0x10/0x10[EOL][  667.125091][ T9805]  ? __x64_sys_openat+0x141/0x200[EOL][  667.125126][ T9805]  ? __pfx_filldir64+0x10/0x10[EOL][  667.125134][ T9805]  ? do_user_addr_fault+0x7fe/0x12f0[EOL][  667.125143][ T9805]  do_syscall_64+0xc9/0x480[EOL][  667.125151][ T9805]  entry_SYSCALL_64_after_hwframe+0x77/0x7f[EOL][  667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9[EOL][  667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48[EOL][  667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9[EOL][  667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9[EOL][  667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004[EOL][  667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110[EOL][  667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260[EOL][  667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000[EOL][  667.125207][ T9805]  </TASK>[EOL][  667.125210][ T9805][EOL][  667.145632][ T9805] Allocated by task 9805:[EOL][  667.145991][ T9805]  kasan_save_stack+0x20/0x40[EOL][  667.146352][ T9805]  kasan_save_track+0x14/0x30[EOL][  667.146717][ T9805]  __kasan_kmalloc+0xaa/0xb0[EOL][  667.147065][ T9805]  __kmalloc_noprof+0x205/0x550[EOL][  667.147448][ T9805]  hfsplus_find_init+0x95/0x1f0[EOL][  667.147813][ T9805]  hfsplus_readdir+0x220/0xfc0[EOL][  667.148174][ T9805]  iterate_dir+0x296/0xb20[EOL][  667.148549][ T9805]  __x64_sys_getdents64+0x13c/0x2c0[EOL][  667.148937][ T9805]  do_syscall_64+0xc9/0x480[EOL][  667.149291][ T9805]  entry_SYSCALL_64_after_hwframe+0x77/0x7f[EOL][  667.149809][ T9805][EOL][  667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000[EOL][  667.150030][ T9805]  which belongs to the cache kmalloc-2k of size 2048[EOL][  667.151282][ T9805] The buggy address is located 0 bytes to the right of[EOL][  667.151282][ T9805]  allocated 1036-byte region [ffff88802592f000, ffff88802592f40c)[EOL][  667.1[EOL]---truncated---

CREATE(Triage):(User=admin) [CVE-2025-38713 (https://nvd.nist.gov/vuln/detail/CVE-2025-38713)