ghsa-h3fq-7jwc-95rx
Vulnerability from github
Published
2025-12-08 03:31
Modified
2025-12-08 03:31
Details

In the Linux kernel, the following vulnerability has been resolved:

fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT

When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, an error trace appears during partition table reading at boot time. The issue is caused by inode->i_blkbits being larger than PAGE_SHIFT, which leads to a left shift of -1 and triggering a UBSAN warning.

[ 2.697306] ------------[ cut here ]------------ [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37 [ 2.697311] shift exponent -1 is negative [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary) [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 2.697320] Call Trace: [ 2.697324] [ 2.697325] dump_stack_lvl+0x76/0xa0 [ 2.697340] dump_stack+0x10/0x20 [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94 [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90 [ 2.697365] submit_bh_wbc+0xb6/0x190 [ 2.697370] block_read_full_folio+0x194/0x270 [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10 [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10 [ 2.697377] blkdev_read_folio+0x18/0x30 [ 2.697379] filemap_read_folio+0x40/0xe0 [ 2.697382] filemap_get_pages+0x5ef/0x7a0 [ 2.697385] ? mmap_region+0x63/0xd0 [ 2.697389] filemap_read+0x11d/0x520 [ 2.697392] blkdev_read_iter+0x7c/0x180 [ 2.697393] vfs_read+0x261/0x390 [ 2.697397] ksys_read+0x71/0xf0 [ 2.697398] __x64_sys_read+0x19/0x30 [ 2.697399] x64_sys_call+0x1e88/0x26a0 [ 2.697405] do_syscall_64+0x80/0x670 [ 2.697410] ? __x64_sys_newfstat+0x15/0x20 [ 2.697414] ? x64_sys_call+0x204a/0x26a0 [ 2.697415] ? do_syscall_64+0xb8/0x670 [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0 [ 2.697420] ? irqentry_exit+0x43/0x50 [ 2.697421] ? exc_page_fault+0x90/0x1b0 [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2.697425] RIP: 0033:0x75054cba4a06 [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06 [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000 [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0 [ 2.697436] [ 2.697436] ---[ end trace ]---

This situation can happen for block devices because when CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size is 64 KiB. set_init_blocksize() then sets the block device inode->i_blkbits to 13, which is within this limit.

File I/O does not trigger this problem because for filesystems that do not support the FS_LBS feature, sb_set_blocksize() prevents sb->s_blocksize_bits from being larger than PAGE_SHIFT. During inode allocation, alloc_inode()->inode_init_always() assigns inode->i_blkbits from sb->s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not hit the left-shift underflow issue.

[EB: use folio_pos() and consolidate the two shifts by i_blkbits]

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-40295"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-08T01:16:01Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfscrypt: fix left shift underflow when inode-\u003ei_blkbits \u003e PAGE_SHIFT\n\nWhen simulating an nvme device on qemu with both logical_block_size and\nphysical_block_size set to 8 KiB, an error trace appears during\npartition table reading at boot time. The issue is caused by\ninode-\u003ei_blkbits being larger than PAGE_SHIFT, which leads to a left\nshift of -1 and triggering a UBSAN warning.\n\n[    2.697306] ------------[ cut here ]------------\n[    2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37\n[    2.697311] shift exponent -1 is negative\n[    2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary)\n[    2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[    2.697320] Call Trace:\n[    2.697324]  \u003cTASK\u003e\n[    2.697325]  dump_stack_lvl+0x76/0xa0\n[    2.697340]  dump_stack+0x10/0x20\n[    2.697342]  __ubsan_handle_shift_out_of_bounds+0x1e3/0x390\n[    2.697351]  bh_get_inode_and_lblk_num.cold+0x12/0x94\n[    2.697359]  fscrypt_set_bio_crypt_ctx_bh+0x44/0x90\n[    2.697365]  submit_bh_wbc+0xb6/0x190\n[    2.697370]  block_read_full_folio+0x194/0x270\n[    2.697371]  ? __pfx_blkdev_get_block+0x10/0x10\n[    2.697375]  ? __pfx_blkdev_read_folio+0x10/0x10\n[    2.697377]  blkdev_read_folio+0x18/0x30\n[    2.697379]  filemap_read_folio+0x40/0xe0\n[    2.697382]  filemap_get_pages+0x5ef/0x7a0\n[    2.697385]  ? mmap_region+0x63/0xd0\n[    2.697389]  filemap_read+0x11d/0x520\n[    2.697392]  blkdev_read_iter+0x7c/0x180\n[    2.697393]  vfs_read+0x261/0x390\n[    2.697397]  ksys_read+0x71/0xf0\n[    2.697398]  __x64_sys_read+0x19/0x30\n[    2.697399]  x64_sys_call+0x1e88/0x26a0\n[    2.697405]  do_syscall_64+0x80/0x670\n[    2.697410]  ? __x64_sys_newfstat+0x15/0x20\n[    2.697414]  ? x64_sys_call+0x204a/0x26a0\n[    2.697415]  ? do_syscall_64+0xb8/0x670\n[    2.697417]  ? irqentry_exit_to_user_mode+0x2e/0x2a0\n[    2.697420]  ? irqentry_exit+0x43/0x50\n[    2.697421]  ? exc_page_fault+0x90/0x1b0\n[    2.697422]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[    2.697425] RIP: 0033:0x75054cba4a06\n[    2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 \u003c48\u003e 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08\n[    2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000\n[    2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06\n[    2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b\n[    2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000\n[    2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\n[    2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0\n[    2.697436]  \u003c/TASK\u003e\n[    2.697436] ---[ end trace ]---\n\nThis situation can happen for block devices because when\nCONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size\nis 64 KiB. set_init_blocksize() then sets the block device\ninode-\u003ei_blkbits to 13, which is within this limit.\n\nFile I/O does not trigger this problem because for filesystems that do\nnot support the FS_LBS feature, sb_set_blocksize() prevents\nsb-\u003es_blocksize_bits from being larger than PAGE_SHIFT. During inode\nallocation, alloc_inode()-\u003einode_init_always() assigns inode-\u003ei_blkbits\nfrom sb-\u003es_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS\nflag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not\nhit the left-shift underflow issue.\n\n[EB: use folio_pos() and consolidate the two shifts by i_blkbits]",
  "id": "GHSA-h3fq-7jwc-95rx",
  "modified": "2025-12-08T03:31:00Z",
  "published": "2025-12-08T03:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40295"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1e39da974ce621ed874c6d3aaf65ad14848c9f0d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dde026c5d2a5870f97924d5b512adf2b93fb7153"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.