{"uuid": "bdc12e79-43dc-40b7-abe1-8cca99608e51", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-22123", "type": "seen", "source": "https://t.me/cvedetector/23124", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-22123 - Linux F2FS Uninitialized Pointer Access Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2025-22123 \nPublished : April 16, 2025, 3:16 p.m. | 23\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \nf2fs: fix to avoid accessing uninitialized curseg  \n  \nsyzbot reports a f2fs bug as below:  \n  \nF2FS-fs (loop3): Stopped filesystem due to reason: 7  \nkworker/u8:7: attempt to access beyond end of device  \nBUG: unable to handle page fault for address: ffffed1604ea3dfa  \nRIP: 0010:get_ckpt_valid_blocks fs/f2fs/segment.h:361 [inline]  \nRIP: 0010:has_curseg_enough_space fs/f2fs/segment.h:570 [inline]  \nRIP: 0010:__get_secs_required fs/f2fs/segment.h:620 [inline]  \nRIP: 0010:has_not_enough_free_secs fs/f2fs/segment.h:633 [inline]  \nRIP: 0010:has_enough_free_secs+0x575/0x1660 fs/f2fs/segment.h:649  \n   \n f2fs_is_checkpoint_ready fs/f2fs/segment.h:671 [inline]  \n f2fs_write_inode+0x425/0x540 fs/f2fs/inode.c:791  \n write_inode fs/fs-writeback.c:1525 [inline]  \n __writeback_single_inode+0x708/0x10d0 fs/fs-writeback.c:1745  \n writeback_sb_inodes+0x820/0x1360 fs/fs-writeback.c:1976  \n wb_writeback+0x413/0xb80 fs/fs-writeback.c:2156  \n wb_do_writeback fs/fs-writeback.c:2303 [inline]  \n wb_workfn+0x410/0x1080 fs/fs-writeback.c:2343  \n process_one_work kernel/workqueue.c:3236 [inline]  \n process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317  \n worker_thread+0x870/0xd30 kernel/workqueue.c:3398  \n kthread+0x7a9/0x920 kernel/kthread.c:464  \n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148  \n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244  \n  \nCommit 8b10d3653735 (\"f2fs: introduce FAULT_NO_SEGMENT\") allows to trigger  \nno free segment fault in allocator, then it will update curseg->segno to  \nNULL_SEGNO, though, CP_ERROR_FLAG has been set, f2fs_write_inode() missed  \nto check the flag, and access invalid curseg->segno directly in below call  \npath, then resulting in panic:  \n  \n- f2fs_write_inode  \n - f2fs_is_checkpoint_ready  \n  - has_enough_free_secs  \n   - has_not_enough_free_secs  \n    - __get_secs_required  \n     - has_curseg_enough_space  \n      - get_ckpt_valid_blocks  \n      : access invalid curseg->segno  \n  \nTo avoid this issue, let's:  \n- check CP_ERROR_FLAG flag in prior to f2fs_is_checkpoint_ready() in  \nf2fs_write_inode().  \n- in has_curseg_enough_space(), save curseg->segno into a temp variable,  \nand verify its validation before use. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"16 Apr 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-04-16T17:43:50.000000Z"}