NuytsTech Security

CVE-2025-22036

by ·

In the Linux kernel, the following vulnerability has been resolved:

exfat: fix random stack corruption after get_block

When get_block is called with a buffer_head allocated on the stack, such
as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in
the following race condition situation.


mpage_read_folio
<>
do_mpage_readpage
exfat_get_block
bh_read
__bh_read
get_bh(bh)
submit_bh
wait_on_buffer

end_buffer_read_sync
__end_buffer_read_notouch
unlock_buffer
<>




<>
.
.
another_function
<>
put_bh(bh)
atomic_dec(bh->b_count)
* stack corruption here *

This patch returns -EAGAIN if a folio does not have buffers when bh_read
needs to be called. By doing this, the caller can fallback to functions
like block_read_full_folio(), create a buffer_head in the folio, and then
call get_block again.

Let’s do not call bh_read() with on-stack buffer_head.

More information : https://git.kernel.org/stable/c/1bb7ff4204b6d4927e982cd256286c09ed4fd8ca

Tags: