CVE-2025-40233: Critical OCFS2 Vulnerability Leading to Stale Extent Data in Linux Kernel

Overview

CVE-2025-40233 identifies a vulnerability in the Linux kernel’s OCFS2 (Oracle Cluster File System version 2) file system. Specifically, the extent map cache could become stale after extents are moved or defragmented. This stale data can lead to subsequent operations operating on outdated extent flags, triggering a kernel panic (BUG_ON) due to inconsistencies between cached and on-disk data.

Technical Details

The vulnerability arises from a scenario involving reflinked extents, file range copies, and extent movement. The specific sequence of events leading to the issue is as follows:

1. copy_file_range() creates a reflinked extent with the OCFS2_EXT_REFCOUNTED flag set.
2. An ioctl(FITRIM) operation triggers ocfs2_move_extents().
3. Within __ocfs2_move_extents_range(), the extent is read and cached with its flags (e.g., flags=0x2).
4. ocfs2_move_extent()/ocfs2_defrag_extent() then call __ocfs2_move_extent(), which clears the OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0).
5. Critically, the extent map cache is not invalidated after the move.
6. Later write() operations read the stale cached flags (0x2), while the disk now contains the updated flags (0x0).
7. This mismatch triggers a BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)), resulting in a kernel panic.

CVSS Analysis

Currently, a CVSS score has not been assigned for CVE-2025-40233. However, given the potential for a kernel panic, and the reliance of systems on the kernel, it is expected to be rated as a high-severity vulnerability once a CVSS score is calculated.

Possible Impact

The most immediate impact of this vulnerability is a kernel panic, leading to system downtime and potential data loss if the system is not properly shut down after the panic. Exploitation requires specific operations on OCFS2 file systems, making widespread exploitation somewhat less likely. However, systems utilizing OCFS2 for clustered storage are at significant risk.

Mitigation or Patch Steps

The identified fix for CVE-2025-40233 involves clearing the extent map cache after each extent move/defrag operation within __ocfs2_move_extents_range(). This ensures that subsequent operations read fresh extent data directly from the disk, preventing the inconsistency that triggers the kernel panic.

The following patches address this vulnerability:

• Update to a kernel version containing the fix. Check your distribution’s security advisories for patched kernel versions.
• If patching immediately is not possible, avoid using copy_file_range() followed by ioctl(FITRIM) on OCFS2 file systems until a patch is applied.

References

• https://git.kernel.org/stable/c/78a63493f8e352296dbc7cb7b3f4973105e8679e
• https://git.kernel.org/stable/c/93166bc53c0e3587058327a4121daea34b4fecd5
• https://git.kernel.org/stable/c/93b1ab422f1966b71561158e1aedce4ec100f357
• https://git.kernel.org/stable/c/a21750df2f6169af6e039a3bb4893d6c9564e48d
• https://git.kernel.org/stable/c/a7ee72286efba1d407c6f15a0528e43593fb7007
• https://git.kernel.org/stable/c/aa6a21409dd6221bb268b56bb410e031c632ff9a
• https://git.kernel.org/stable/c/bb69928ed578f881e68d26aaf1a8f6e7faab3b44
• https://git.kernel.org/stable/c/e92af7737a94a729225d2a5d180eaaa77fe0bbc1