CVE-2025-38415
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-25

Last updated on: 2025-11-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Squashfs: check return result of sb_min_blocksize Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug. Syzkaller forks multiple processes which after mounting the Squashfs filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000). Now if this ioctl occurs at the same time another process is in the process of mounting a Squashfs filesystem on /dev/loop0, the failure occurs. When this happens the following code in squashfs_fill_super() fails. ---- msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); msblk->devblksize_log2 = ffz(~msblk->devblksize); ---- sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0. As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2 is set to 64. This subsequently causes the UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36 shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long') This commit adds a check for a 0 return by sb_min_blocksize().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-25
Last Modified
2025-11-03
Generated
2026-05-07
AI Q&A
2025-07-25
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38415
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's Squashfs filesystem code. When multiple processes simultaneously mount a Squashfs filesystem and issue an ioctl call to set the block size on /dev/loop0, a race condition can cause the function sb_min_blocksize() to return 0. This leads to an invalid calculation in the code, resulting in an out-of-bounds shift operation (shift exponent 64 on a 64-bit type), which triggers an undefined behavior sanitizer (UBSAN) error. The issue arises because the code does not properly check for a zero return value from sb_min_blocksize(), causing incorrect internal state and potential kernel instability.


How can this vulnerability impact me? :

This vulnerability can cause kernel instability or crashes when mounting Squashfs filesystems under specific concurrent conditions. The out-of-bounds shift operation can lead to undefined behavior, potentially causing denial of service or system crashes. This may affect system reliability and availability, especially in environments where Squashfs filesystems are frequently mounted concurrently.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version that includes the fix which adds a check for a 0 return by sb_min_blocksize() in the Squashfs filesystem code. Avoid mounting Squashfs filesystems on /dev/loop0 concurrently with ioctl calls that set block size, as this triggers the issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart