CVE-2025-39723 (GCVE-0-2025-39723)
Vulnerability from cvelistv5
Published
2025-09-05 17:21
Modified
2025-09-29 05:58
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix unbuffered write error handling If all the subrequests in an unbuffered write stream fail, the subrequest collector doesn't update the stream->transferred value and it retains its initial LONG_MAX value. Unfortunately, if all active streams fail, then we take the smallest value of { LONG_MAX, LONG_MAX, ... } as the value to set in wreq->transferred - which is then returned from ->write_iter(). LONG_MAX was chosen as the initial value so that all the streams can be quickly assessed by taking the smallest value of all stream->transferred - but this only works if we've set any of them. Fix this by adding a flag to indicate whether the value in stream->transferred is valid and checking that when we integrate the values. stream->transferred can then be initialised to zero. This was found by running the generic/750 xfstest against cifs with cache=none. It splices data to the target file. Once (if) it has used up all the available scratch space, the writes start failing with ENOSPC. This causes ->write_iter() to fail. However, it was returning wreq->transferred, i.e. LONG_MAX, rather than an error (because it thought the amount transferred was non-zero) and iter_file_splice_write() would then try to clean up that amount of pipe bufferage - leading to an oops when it overran. The kernel log showed: CIFS: VFS: Send error in write = -28 followed by: BUG: kernel NULL pointer dereference, address: 0000000000000008 with: RIP: 0010:iter_file_splice_write+0x3a4/0x520 do_splice+0x197/0x4e0 or: RIP: 0010:pipe_buf_release (include/linux/pipe_fs_i.h:282) iter_file_splice_write (fs/splice.c:755) Also put a warning check into splice to announce if ->write_iter() returned that it had written more than it was asked to.
References
Impacted products
Vendor Product Version
Linux Linux Version: 288ace2f57c9d06dd2e42bd80d03747d879a4068
Version: 288ace2f57c9d06dd2e42bd80d03747d879a4068
Version: 288ace2f57c9d06dd2e42bd80d03747d879a4068
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/netfs/read_collect.c",
            "fs/netfs/write_collect.c",
            "fs/netfs/write_issue.c",
            "fs/splice.c",
            "include/linux/netfs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f08c80af3c9a9849cd178b4843b7c01d103506a1",
              "status": "affected",
              "version": "288ace2f57c9d06dd2e42bd80d03747d879a4068",
              "versionType": "git"
            },
            {
              "lessThan": "387164a2b97e1f5404c6d0049a7409bac7d2bc5b",
              "status": "affected",
              "version": "288ace2f57c9d06dd2e42bd80d03747d879a4068",
              "versionType": "git"
            },
            {
              "lessThan": "a3de58b12ce074ec05b8741fa28d62ccb1070468",
              "status": "affected",
              "version": "288ace2f57c9d06dd2e42bd80d03747d879a4068",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/netfs/read_collect.c",
            "fs/netfs/write_collect.c",
            "fs/netfs/write_issue.c",
            "fs/splice.c",
            "include/linux/netfs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix unbuffered write error handling\n\nIf all the subrequests in an unbuffered write stream fail, the subrequest\ncollector doesn\u0027t update the stream-\u003etransferred value and it retains its\ninitial LONG_MAX value.  Unfortunately, if all active streams fail, then we\ntake the smallest value of { LONG_MAX, LONG_MAX, ... } as the value to set\nin wreq-\u003etransferred - which is then returned from -\u003ewrite_iter().\n\nLONG_MAX was chosen as the initial value so that all the streams can be\nquickly assessed by taking the smallest value of all stream-\u003etransferred -\nbut this only works if we\u0027ve set any of them.\n\nFix this by adding a flag to indicate whether the value in\nstream-\u003etransferred is valid and checking that when we integrate the\nvalues.  stream-\u003etransferred can then be initialised to zero.\n\nThis was found by running the generic/750 xfstest against cifs with\ncache=none.  It splices data to the target file.  Once (if) it has used up\nall the available scratch space, the writes start failing with ENOSPC.\nThis causes -\u003ewrite_iter() to fail.  However, it was returning\nwreq-\u003etransferred, i.e. LONG_MAX, rather than an error (because it thought\nthe amount transferred was non-zero) and iter_file_splice_write() would\nthen try to clean up that amount of pipe bufferage - leading to an oops\nwhen it overran.  The kernel log showed:\n\n    CIFS: VFS: Send error in write = -28\n\nfollowed by:\n\n    BUG: kernel NULL pointer dereference, address: 0000000000000008\n\nwith:\n\n    RIP: 0010:iter_file_splice_write+0x3a4/0x520\n    do_splice+0x197/0x4e0\n\nor:\n\n    RIP: 0010:pipe_buf_release (include/linux/pipe_fs_i.h:282)\n    iter_file_splice_write (fs/splice.c:755)\n\nAlso put a warning check into splice to announce if -\u003ewrite_iter() returned\nthat it had written more than it was asked to."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:58:10.575Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f08c80af3c9a9849cd178b4843b7c01d103506a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/387164a2b97e1f5404c6d0049a7409bac7d2bc5b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a3de58b12ce074ec05b8741fa28d62ccb1070468"
        }
      ],
      "title": "netfs: Fix unbuffered write error handling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39723",
    "datePublished": "2025-09-05T17:21:31.137Z",
    "dateReserved": "2025-04-16T07:20:57.117Z",
    "dateUpdated": "2025-09-29T05:58:10.575Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-39723\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-09-05T18:15:50.043\",\"lastModified\":\"2025-09-08T16:25:38.810\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfs: Fix unbuffered write error handling\\n\\nIf all the subrequests in an unbuffered write stream fail, the subrequest\\ncollector doesn\u0027t update the stream-\u003etransferred value and it retains its\\ninitial LONG_MAX value.  Unfortunately, if all active streams fail, then we\\ntake the smallest value of { LONG_MAX, LONG_MAX, ... } as the value to set\\nin wreq-\u003etransferred - which is then returned from -\u003ewrite_iter().\\n\\nLONG_MAX was chosen as the initial value so that all the streams can be\\nquickly assessed by taking the smallest value of all stream-\u003etransferred -\\nbut this only works if we\u0027ve set any of them.\\n\\nFix this by adding a flag to indicate whether the value in\\nstream-\u003etransferred is valid and checking that when we integrate the\\nvalues.  stream-\u003etransferred can then be initialised to zero.\\n\\nThis was found by running the generic/750 xfstest against cifs with\\ncache=none.  It splices data to the target file.  Once (if) it has used up\\nall the available scratch space, the writes start failing with ENOSPC.\\nThis causes -\u003ewrite_iter() to fail.  However, it was returning\\nwreq-\u003etransferred, i.e. LONG_MAX, rather than an error (because it thought\\nthe amount transferred was non-zero) and iter_file_splice_write() would\\nthen try to clean up that amount of pipe bufferage - leading to an oops\\nwhen it overran.  The kernel log showed:\\n\\n    CIFS: VFS: Send error in write = -28\\n\\nfollowed by:\\n\\n    BUG: kernel NULL pointer dereference, address: 0000000000000008\\n\\nwith:\\n\\n    RIP: 0010:iter_file_splice_write+0x3a4/0x520\\n    do_splice+0x197/0x4e0\\n\\nor:\\n\\n    RIP: 0010:pipe_buf_release (include/linux/pipe_fs_i.h:282)\\n    iter_file_splice_write (fs/splice.c:755)\\n\\nAlso put a warning check into splice to announce if -\u003ewrite_iter() returned\\nthat it had written more than it was asked to.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/387164a2b97e1f5404c6d0049a7409bac7d2bc5b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a3de58b12ce074ec05b8741fa28d62ccb1070468\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f08c80af3c9a9849cd178b4843b7c01d103506a1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.