Wind River Support Network

HomeDefectsLIN1024-11123
Acknowledged

LIN1024-11123 : Security Advisory - linux - CVE-2025-39691

Created: Sep 7, 2025    Updated: Sep 8, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]fs/buffer: fix use-after-free when call bh_read() helper[EOL][EOL]There's issue as follows:[EOL]BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110[EOL]Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0[EOL]CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64[EOL]Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)[EOL]Call Trace:[EOL] <IRQ>[EOL] dump_stack_lvl+0x55/0x70[EOL] print_address_description.constprop.0+0x2c/0x390[EOL] print_report+0xb4/0x270[EOL] kasan_report+0xb8/0xf0[EOL] end_buffer_read_sync+0xe3/0x110[EOL] end_bio_bh_io_sync+0x56/0x80[EOL] blk_update_request+0x30a/0x720[EOL] scsi_end_request+0x51/0x2b0[EOL] scsi_io_completion+0xe3/0x480[EOL] ? scsi_device_unbusy+0x11e/0x160[EOL] blk_complete_reqs+0x7b/0x90[EOL] handle_softirqs+0xef/0x370[EOL] irq_exit_rcu+0xa5/0xd0[EOL] sysvec_apic_timer_interrupt+0x6e/0x90[EOL] </IRQ>[EOL][EOL] Above issue happens when do ntfs3 filesystem mount, issue may happens[EOL] as follows:[EOL]           mount                            IRQ[EOL]ntfs_fill_super[EOL]  read_cache_page[EOL]    do_read_cache_folio[EOL]      filemap_read_folio[EOL]        mpage_read_folio[EOL]\t do_mpage_readpage[EOL]\t  ntfs_get_block_vbo[EOL]\t   bh_read[EOL]\t     submit_bh[EOL]\t     wait_on_buffer(bh);[EOL]\t                            blk_complete_reqs[EOL]\t\t\t\t     scsi_io_completion[EOL]\t\t\t\t      scsi_end_request[EOL]\t\t\t\t       blk_update_request[EOL]\t\t\t\t        end_bio_bh_io_sync[EOL]\t\t\t\t\t end_buffer_read_sync[EOL]\t\t\t\t\t  __end_buffer_read_notouch[EOL]\t\t\t\t\t   unlock_buffer[EOL][EOL]            wait_on_buffer(bh);--> return will return to caller[EOL][EOL]\t\t\t\t\t  put_bh[EOL]\t\t\t\t\t    --> trigger stack-out-of-bounds[EOL]In the mpage_read_folio() function, the stack variable 'map_bh' is[EOL]passed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and[EOL]wait_on_buffer() returns to continue processing, the stack variable[EOL]is likely to be reclaimed. Consequently, during the end_buffer_read_sync()[EOL]process, calling put_bh() may result in stack overrun.[EOL][EOL]If the bh is not allocated on the stack, it belongs to a folio.  Freeing[EOL]a buffer head which belongs to a folio is done by drop_buffers() which[EOL]will fail to free buffers which are still locked.  So it is safe to call[EOL]put_bh() before __end_buffer_read_notouch().

CREATE(Triage):(User=admin) [CVE-2025-39691 (https://nvd.nist.gov/vuln/detail/CVE-2025-39691)
Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube