{"id":"CVE-2025-37785","summary":"ext4: fix OOB read when checking dotdot dir","details":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix OOB read when checking dotdot dir\n\nMounting a corrupted filesystem with directory which contains '.' dir\nentry with rec_len == block size results in out-of-bounds read (later\non, when the corrupted directory is removed).\n\next4_empty_dir() assumes every ext4 directory contains at least '.'\nand '..' as directory entries in the first data block. It first loads\nthe '.' dir entry, performs sanity checks by calling ext4_check_dir_entry()\nand then uses its rec_len member to compute the location of '..' dir\nentry (in ext4_next_entry). It assumes the '..' dir entry fits into the\nsame data block.\n\nIf the rec_len of '.' is precisely one block (4KB), it slips through the\nsanity checks (it is considered the last directory entry in the data\nblock) and leaves \"struct ext4_dir_entry_2 *de\" point exactly past the\nmemory slot allocated to the data block. The following call to\next4_check_dir_entry() on new value of de then dereferences this pointer\nwhich results in out-of-bounds mem access.\n\nFix this by extending __ext4_check_dir_entry() to check for '.' dir\nentries that reach the end of data block. Make sure to ignore the phony\ndir entries for checksum (by checking name_len for non-zero).\n\nNote: This is reported by KASAN as use-after-free in case another\nstructure was recently freed from the slot past the bound, but it is\nreally an OOB read.\n\nThis issue was found by syzkaller tool.\n\nCall Trace:\n[   38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710\n[   38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375\n[   38.595158]\n[   38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1\n[   38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[   38.595304] Call Trace:\n[   38.595308]  \u003cTASK\u003e\n[   38.595311]  dump_stack_lvl+0xa7/0xd0\n[   38.595325]  print_address_description.constprop.0+0x2c/0x3f0\n[   38.595339]  ? __ext4_check_dir_entry+0x67e/0x710\n[   38.595349]  print_report+0xaa/0x250\n[   38.595359]  ? __ext4_check_dir_entry+0x67e/0x710\n[   38.595368]  ? kasan_addr_to_slab+0x9/0x90\n[   38.595378]  kasan_report+0xab/0xe0\n[   38.595389]  ? __ext4_check_dir_entry+0x67e/0x710\n[   38.595400]  __ext4_check_dir_entry+0x67e/0x710\n[   38.595410]  ext4_empty_dir+0x465/0x990\n[   38.595421]  ? __pfx_ext4_empty_dir+0x10/0x10\n[   38.595432]  ext4_rmdir.part.0+0x29a/0xd10\n[   38.595441]  ? __dquot_initialize+0x2a7/0xbf0\n[   38.595455]  ? __pfx_ext4_rmdir.part.0+0x10/0x10\n[   38.595464]  ? __pfx___dquot_initialize+0x10/0x10\n[   38.595478]  ? down_write+0xdb/0x140\n[   38.595487]  ? __pfx_down_write+0x10/0x10\n[   38.595497]  ext4_rmdir+0xee/0x140\n[   38.595506]  vfs_rmdir+0x209/0x670\n[   38.595517]  ? lookup_one_qstr_excl+0x3b/0x190\n[   38.595529]  do_rmdir+0x363/0x3c0\n[   38.595537]  ? __pfx_do_rmdir+0x10/0x10\n[   38.595544]  ? strncpy_from_user+0x1ff/0x2e0\n[   38.595561]  __x64_sys_unlinkat+0xf0/0x130\n[   38.595570]  do_syscall_64+0x5b/0x180\n[   38.595583]  entry_SYSCALL_64_after_hwframe+0x76/0x7e","modified":"2026-04-16T04:36:14.940126494Z","published":"2025-04-18T07:01:27.393Z","related":["ALSA-2025:8643","SUSE-SU-2025:01600-1","SUSE-SU-2025:01614-1","SUSE-SU-2025:01707-1","SUSE-SU-2025:01918-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:02173-1","SUSE-SU-2025:02262-1","SUSE-SU-2025:02321-1","SUSE-SU-2025:20343-1","SUSE-SU-2025:20344-1","SUSE-SU-2025:20354-1","SUSE-SU-2025:20355-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37785.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/14da7dbecb430e35b5889da8dae7bef33173b351"},{"type":"WEB","url":"https://git.kernel.org/stable/c/52a5509ab19a5d3afe301165d9b5787bba34d842"},{"type":"WEB","url":"https://git.kernel.org/stable/c/53bc45da8d8da92ec07877f5922b130562eb4b00"},{"type":"WEB","url":"https://git.kernel.org/stable/c/89503e5eae64637d0fa2218912b54660effe7d93"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ac28c5684c1cdab650a7e5065b19e91577d37a4b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b47584c556444cf7acb66b26a62cbc348eb92b78"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b7531a4f99c3887439d778afaf418d1a01a5f01b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d5e206778e96e8667d3bde695ad372c296dc9353"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e47f472a664d70a3d104a6c2a035cdff55a719b4"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37785.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37785"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ac27a0ec112a089f1a5102bc8dffc79c8c815571"},{"fixed":"14da7dbecb430e35b5889da8dae7bef33173b351"},{"fixed":"e47f472a664d70a3d104a6c2a035cdff55a719b4"},{"fixed":"b7531a4f99c3887439d778afaf418d1a01a5f01b"},{"fixed":"89503e5eae64637d0fa2218912b54660effe7d93"},{"fixed":"52a5509ab19a5d3afe301165d9b5787bba34d842"},{"fixed":"b47584c556444cf7acb66b26a62cbc348eb92b78"},{"fixed":"ac28c5684c1cdab650a7e5065b19e91577d37a4b"},{"fixed":"53bc45da8d8da92ec07877f5922b130562eb4b00"},{"fixed":"d5e206778e96e8667d3bde695ad372c296dc9353"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-37785.json"}}],"schema_version":"1.7.5"}