CVE-2025-38337 (GCVE-0-2025-38337)
Vulnerability from cvelistv5
Published
2025-07-10 08:15
Modified
2025-07-28 04:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()
Since handle->h_transaction may be a NULL pointer, so we should change it
to call is_handle_aborted(handle) first before dereferencing it.
And the following data-race was reported in my fuzzer:
==================================================================
BUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata
write to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1:
jbd2_journal_dirty_metadata+0x2a5/0x770 fs/jbd2/transaction.c:1556
__ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358
ext4_do_update_inode fs/ext4/inode.c:5220 [inline]
ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869
__ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074
ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103
....
read to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0:
jbd2_journal_dirty_metadata+0xf2/0x770 fs/jbd2/transaction.c:1512
__ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358
ext4_do_update_inode fs/ext4/inode.c:5220 [inline]
ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869
__ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074
ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103
....
value changed: 0x00000000 -> 0x00000001
==================================================================
This issue is caused by missing data-race annotation for jh->b_modified.
Therefore, the missing annotation needs to be added.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ► | Linux | Linux |
Version: 6e06ae88edae77379bef7c0cb7d3c2dd88676867 Version: 6e06ae88edae77379bef7c0cb7d3c2dd88676867 Version: 6e06ae88edae77379bef7c0cb7d3c2dd88676867 Version: 6e06ae88edae77379bef7c0cb7d3c2dd88676867 Version: 6e06ae88edae77379bef7c0cb7d3c2dd88676867 Version: 6e06ae88edae77379bef7c0cb7d3c2dd88676867 Version: 6e06ae88edae77379bef7c0cb7d3c2dd88676867 Version: 6e06ae88edae77379bef7c0cb7d3c2dd88676867 |
|
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jbd2/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c1a34ff5b0bfdfd2f9343aa9b08d25df618bac5",
"status": "affected",
"version": "6e06ae88edae77379bef7c0cb7d3c2dd88676867",
"versionType": "git"
},
{
"lessThan": "ec669e5bf409f16e464bfad75f0ba039a45de29a",
"status": "affected",
"version": "6e06ae88edae77379bef7c0cb7d3c2dd88676867",
"versionType": "git"
},
{
"lessThan": "43d5e3bb5f1dcd91e30238ea0b59a5f77063f84e",
"status": "affected",
"version": "6e06ae88edae77379bef7c0cb7d3c2dd88676867",
"versionType": "git"
},
{
"lessThan": "23361b479f2700c00960d3ae9cdc8ededa762d47",
"status": "affected",
"version": "6e06ae88edae77379bef7c0cb7d3c2dd88676867",
"versionType": "git"
},
{
"lessThan": "2e7c64d7a92c031d016f11c8e8cb05131ab7b75a",
"status": "affected",
"version": "6e06ae88edae77379bef7c0cb7d3c2dd88676867",
"versionType": "git"
},
{
"lessThan": "f78b38af3540b4875147b7b884ee11a27b3dbf4c",
"status": "affected",
"version": "6e06ae88edae77379bef7c0cb7d3c2dd88676867",
"versionType": "git"
},
{
"lessThan": "a377996d714afb8d4d5f4906336f78510039da29",
"status": "affected",
"version": "6e06ae88edae77379bef7c0cb7d3c2dd88676867",
"versionType": "git"
},
{
"lessThan": "af98b0157adf6504fade79b3e6cb260c4ff68e37",
"status": "affected",
"version": "6e06ae88edae77379bef7c0cb7d3c2dd88676867",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jbd2/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()\n\nSince handle-\u003eh_transaction may be a NULL pointer, so we should change it\nto call is_handle_aborted(handle) first before dereferencing it.\n\nAnd the following data-race was reported in my fuzzer:\n\n==================================================================\nBUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata\n\nwrite to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1:\n jbd2_journal_dirty_metadata+0x2a5/0x770 fs/jbd2/transaction.c:1556\n __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358\n ext4_do_update_inode fs/ext4/inode.c:5220 [inline]\n ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869\n __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074\n ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103\n....\n\nread to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0:\n jbd2_journal_dirty_metadata+0xf2/0x770 fs/jbd2/transaction.c:1512\n __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358\n ext4_do_update_inode fs/ext4/inode.c:5220 [inline]\n ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869\n __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074\n ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103\n....\n\nvalue changed: 0x00000000 -\u003e 0x00000001\n==================================================================\n\nThis issue is caused by missing data-race annotation for jh-\u003eb_modified.\nTherefore, the missing annotation needs to be added."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:19:18.470Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c1a34ff5b0bfdfd2f9343aa9b08d25df618bac5"
},
{
"url": "https://git.kernel.org/stable/c/ec669e5bf409f16e464bfad75f0ba039a45de29a"
},
{
"url": "https://git.kernel.org/stable/c/43d5e3bb5f1dcd91e30238ea0b59a5f77063f84e"
},
{
"url": "https://git.kernel.org/stable/c/23361b479f2700c00960d3ae9cdc8ededa762d47"
},
{
"url": "https://git.kernel.org/stable/c/2e7c64d7a92c031d016f11c8e8cb05131ab7b75a"
},
{
"url": "https://git.kernel.org/stable/c/f78b38af3540b4875147b7b884ee11a27b3dbf4c"
},
{
"url": "https://git.kernel.org/stable/c/a377996d714afb8d4d5f4906336f78510039da29"
},
{
"url": "https://git.kernel.org/stable/c/af98b0157adf6504fade79b3e6cb260c4ff68e37"
}
],
"title": "jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38337",
"datePublished": "2025-07-10T08:15:08.396Z",
"dateReserved": "2025-04-16T04:51:24.005Z",
"dateUpdated": "2025-07-28T04:19:18.470Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-38337\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-10T09:15:28.373\",\"lastModified\":\"2025-07-10T13:17:30.017\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\njbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()\\n\\nSince handle-\u003eh_transaction may be a NULL pointer, so we should change it\\nto call is_handle_aborted(handle) first before dereferencing it.\\n\\nAnd the following data-race was reported in my fuzzer:\\n\\n==================================================================\\nBUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata\\n\\nwrite to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1:\\n jbd2_journal_dirty_metadata+0x2a5/0x770 fs/jbd2/transaction.c:1556\\n __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358\\n ext4_do_update_inode fs/ext4/inode.c:5220 [inline]\\n ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869\\n __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074\\n ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103\\n....\\n\\nread to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0:\\n jbd2_journal_dirty_metadata+0xf2/0x770 fs/jbd2/transaction.c:1512\\n __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358\\n ext4_do_update_inode fs/ext4/inode.c:5220 [inline]\\n ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869\\n __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074\\n ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103\\n....\\n\\nvalue changed: 0x00000000 -\u003e 0x00000001\\n==================================================================\\n\\nThis issue is caused by missing data-race annotation for jh-\u003eb_modified.\\nTherefore, the missing annotation needs to be added.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: jbd2: se corrigieron los errores data-race y null-ptr-deref en jbd2_journal_dirty_metadata(). Dado que handle-\u0026gt;h_transaction puede ser un puntero nulo, debemos modificarlo para que llame primero a is_handle_aborted(handle) antes de desreferenciarlo. La siguiente vulnerabilidad data-race se report\u00f3 en mi fuzzer: ======================================================================== BUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata write to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1: jbd2_journal_dirty_metadata+0x2a5/0x770 fs/jbd2/transaction.c:1556 __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358 ext4_do_update_inode fs/ext4/inode.c:5220 [inline] ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869 __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074 ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103 .... read to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0: jbd2_journal_dirty_metadata+0xf2/0x770 fs/jbd2/transaction.c:1512 __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358 ext4_do_update_inode fs/ext4/inode.c:5220 [inline] ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869 __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074 ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103 .... value changed: 0x00000000 -\u0026gt; 0x00000001 ======================================================================== Este problema se debe a la falta de la anotaci\u00f3n de carrera de datos para jh-\u0026gt;b_modified. Por lo tanto, es necesario agregarla.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/23361b479f2700c00960d3ae9cdc8ededa762d47\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2e7c64d7a92c031d016f11c8e8cb05131ab7b75a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/43d5e3bb5f1dcd91e30238ea0b59a5f77063f84e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5c1a34ff5b0bfdfd2f9343aa9b08d25df618bac5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a377996d714afb8d4d5f4906336f78510039da29\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/af98b0157adf6504fade79b3e6cb260c4ff68e37\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ec669e5bf409f16e464bfad75f0ba039a45de29a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f78b38af3540b4875147b7b884ee11a27b3dbf4c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…