Overview
CVE-2025-40246 describes an out-of-bounds read vulnerability discovered in the XFS filesystem driver of the Linux kernel. This flaw can be triggered during symlink repair operations, potentially leading to system instability, denial of service, or even information disclosure. A fix has been implemented and backported to stable kernel branches.
Technical Details
The vulnerability exists in the xrep_symlink_salvage_inline function within the XFS repair code. Specifically, the issue arises from an incorrect calculation of the buffer size when copying symlink data. The min() function used to determine the copy length incorrectly uses xfs_ifork::if_bytes, which represents the size of the xfs_ifork::if_data buffer, as one of its parameters. This value can be smaller than the actual data fork size, particularly in cases where the symlink target is small (e.g., a single-byte symlink). Consequently, the copy operation can read beyond the allocated buffer, resulting in an out-of-bounds read.
The original bug report from the test fleet highlighted this issue, showing a KFENCE error:
==================================================================
BUG: KFENCE: out-of-bounds read in memcpy_orig+0x54/0x110
Out-of-bounds read at 0xffff88843fe9e038 (184B right of kfence-#184):
memcpy_orig+0x54/0x110
xrep_symlink_salvage_inline+0xb3/0xf0 [xfs]
xrep_symlink_salvage+0x100/0x110 [xfs]
xrep_symlink+0x2e/0x80 [xfs]
xrep_attempt+0x61/0x1f0 [xfs]
xfs_scrub_metadata+0x34f/0x5c0 [xfs]
xfs_ioc_scrubv_metadata+0x387/0x560 [xfs]
xfs_file_ioctl+0xe23/0x10e0 [xfs]
__x64_sys_ioctl+0x76/0xc0
do_syscall_64+0x4e/0x1e0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
kfence-#184: 0xffff88843fe9df80-0xffff88843fe9dfea, size=107, cache=kmalloc-128
allocated by task 3470 on cpu 1 at 263329.131592s (192823.508886s ago):
xfs_init_local_fork+0x79/0xe0 [xfs]
xfs_iformat_local+0xa4/0x170 [xfs]
xfs_iformat_data_fork+0x148/0x180 [xfs]
xfs_inode_from_disk+0x2cd/0x480 [xfs]
xfs_iget+0x450/0xd60 [xfs]
xfs_bulkstat_one_int+0x6b/0x510 [xfs]
xfs_bulkstat_iwalk+0x1e/0x30 [xfs]
xfs_iwalk_ag_recs+0xdf/0x150 [xfs]
xfs_iwalk_run_callbacks+0xb9/0x190 [xfs]
xfs_iwalk_ag+0x1dc/0x2f0 [xfs]
xfs_iwalk_args.constprop.0+0x6a/0x120 [xfs]
xfs_iwalk+0xa4/0xd0 [xfs]
xfs_bulkstat+0xfa/0x170 [xfs]
xfs_ioc_fsbulkstat.isra.0+0x13a/0x230 [xfs]
xfs_file_ioctl+0xbf2/0x10e0 [xfs]
__x64_sys_ioctl+0x76/0xc0
do_syscall_64+0x4e/0x1e0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
CPU: 1 UID: 0 PID: 1300113 Comm: xfs_scrub Not tainted 6.18.0-rc4-djwx #rc4 PREEMPT(lazy) 3d744dd94e92690f00a04398d2bd8631dcef1954
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-4.module+el8.8.0+21164+ed375313 04/01/2014
==================================================================
CVSS Analysis
As of the publication date, a CVSS score has not been formally assigned to CVE-2025-40246. However, considering the potential for information disclosure, denial of service, and the location of the vulnerability within the kernel, a moderate to high severity rating is anticipated. Further updates will be provided as they become available.
Possible Impact
Exploitation of this vulnerability could have the following consequences:
- Information Disclosure: Sensitive data stored near the affected memory region could be leaked.
- Denial of Service (DoS): Reading beyond the allocated memory region could lead to kernel crashes and system instability.
- Privilege Escalation (Theoretical): While less likely, in certain circumstances, an attacker might be able to leverage the out-of-bounds read to corrupt kernel memory, potentially leading to privilege escalation.
Mitigation or Patch Steps
The recommended mitigation is to apply the patch provided by the Linux kernel developers. This patch corrects the buffer size calculation in xrep_symlink_salvage_inline, preventing the out-of-bounds read. Users should update their kernels to a version containing the fix. Distribution vendors will likely provide updated kernel packages.
