CVE-2025-37858 - Vulnerability Details

Link	Providers
https://git.kernel.org/stable/c/211ed8f5e39e61f9e4d18edd64ce8005a67a1b2a
https://git.kernel.org/stable/c/3d8a45f87010a802aa214bf39702ca9d99cbf3ba
https://git.kernel.org/stable/c/55edbf5dbf60a8195c21e92124c4028939ae16b2
https://git.kernel.org/stable/c/7ccf3b35274512b60ecb614e0637e76bd6f2d829
https://git.kernel.org/stable/c/7fcbf789629cdb9fbf4e2172ce31136cfed11e5e
https://git.kernel.org/stable/c/8bb29629a5e4090e1ef7199cb42db04a52802239
https://git.kernel.org/stable/c/c802a6a4009f585111f903e810b3be9c6d0da329
https://git.kernel.org/stable/c/dd07a985e2ded47b6c7d69fc93c1fe02977c8454
https://git.kernel.org/stable/c/ec34cdf4f917cc6abd306cf091f8b8361fedac88

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: fs/jfs: Prevent integer overflow in AG size calculation The JFS filesystem calculates allocation group (AG) size using 1 << l2agsize in dbExtendFS(). When l2agsize exceeds 31 (possible with >2TB aggregates on 32-bit systems), this 32-bit shift operation causes undefined behavior and improper AG sizing. On 32-bit architectures: - Left-shifting 1 by 32+ bits results in 0 due to integer overflow - This creates invalid AG sizes (0 or garbage values) in sbi->bmap->db_agsize - Subsequent block allocations would reference invalid AG structures - Could lead to: - Filesystem corruption during extend operations - Kernel crashes due to invalid memory accesses - Security vulnerabilities via malformed on-disk structures Fix by casting to s64 before shifting: bmp->db_agsize = (s64)1 << l2agsize; This ensures 64-bit arithmetic even on 32-bit architectures. The cast matches the data type of db_agsize (s64) and follows similar patterns in JFS block calculation code. Found by Linux Verification Center (linuxtesting.org) with SVACE.
Title		fs/jfs: Prevent integer overflow in AG size calculation
References		https://git.kernel.org/stable/c/211ed8f5e39e61f9e4d18edd64ce8005a67a1b2a https://git.kernel.org/stable/c/3d8a45f87010a802aa214bf39702ca9d99cbf3ba https://git.kernel.org/stable/c/55edbf5dbf60a8195c21e92124c4028939ae16b2 https://git.kernel.org/stable/c/7ccf3b35274512b60ecb614e0637e76bd6f2d829 https://git.kernel.org/stable/c/7fcbf789629cdb9fbf4e2172ce31136cfed11e5e https://git.kernel.org/stable/c/8bb29629a5e4090e1ef7199cb42db04a52802239 https://git.kernel.org/stable/c/c802a6a4009f585111f903e810b3be9c6d0da329 https://git.kernel.org/stable/c/dd07a985e2ded47b6c7d69fc93c1fe02977c8454 https://git.kernel.org/stable/c/ec34cdf4f917cc6abd306cf091f8b8361fedac88

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-37858", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:23.957Z", "datePublished": "2025-05-09T06:42:05.940Z", "dateUpdated": "2025-05-09T06:42:05.940Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-09T06:42:05.940Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: Prevent integer overflow in AG size calculation\n\nThe JFS filesystem calculates allocation group (AG) size using 1 <<\nl2agsize in dbExtendFS(). When l2agsize exceeds 31 (possible with >2TB\naggregates on 32-bit systems), this 32-bit shift operation causes undefined\nbehavior and improper AG sizing.\n\nOn 32-bit architectures:\n- Left-shifting 1 by 32+ bits results in 0 due to integer overflow\n- This creates invalid AG sizes (0 or garbage values) in\nsbi->bmap->db_agsize\n- Subsequent block allocations would reference invalid AG structures\n- Could lead to:\n - Filesystem corruption during extend operations\n - Kernel crashes due to invalid memory accesses\n - Security vulnerabilities via malformed on-disk structures\n\nFix by casting to s64 before shifting:\nbmp->db_agsize = (s64)1 << l2agsize;\n\nThis ensures 64-bit arithmetic even on 32-bit architectures. The cast\nmatches the data type of db_agsize (s64) and follows similar patterns in\nJFS block calculation code.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/jfs/jfs_dmap.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "dd07a985e2ded47b6c7d69fc93c1fe02977c8454", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "8bb29629a5e4090e1ef7199cb42db04a52802239", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "3d8a45f87010a802aa214bf39702ca9d99cbf3ba", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "55edbf5dbf60a8195c21e92124c4028939ae16b2", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "7ccf3b35274512b60ecb614e0637e76bd6f2d829", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "c802a6a4009f585111f903e810b3be9c6d0da329", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "211ed8f5e39e61f9e4d18edd64ce8005a67a1b2a", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "ec34cdf4f917cc6abd306cf091f8b8361fedac88", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "7fcbf789629cdb9fbf4e2172ce31136cfed11e5e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/jfs/jfs_dmap.c"], "versions": [{"version": "5.4.293", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.237", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.181", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.135", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.88", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.24", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.12", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.3", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.293"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.237"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.181"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.88"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.13.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/dd07a985e2ded47b6c7d69fc93c1fe02977c8454"}, {"url": "https://git.kernel.org/stable/c/8bb29629a5e4090e1ef7199cb42db04a52802239"}, {"url": "https://git.kernel.org/stable/c/3d8a45f87010a802aa214bf39702ca9d99cbf3ba"}, {"url": "https://git.kernel.org/stable/c/55edbf5dbf60a8195c21e92124c4028939ae16b2"}, {"url": "https://git.kernel.org/stable/c/7ccf3b35274512b60ecb614e0637e76bd6f2d829"}, {"url": "https://git.kernel.org/stable/c/c802a6a4009f585111f903e810b3be9c6d0da329"}, {"url": "https://git.kernel.org/stable/c/211ed8f5e39e61f9e4d18edd64ce8005a67a1b2a"}, {"url": "https://git.kernel.org/stable/c/ec34cdf4f917cc6abd306cf091f8b8361fedac88"}, {"url": "https://git.kernel.org/stable/c/7fcbf789629cdb9fbf4e2172ce31136cfed11e5e"}], "title": "fs/jfs: Prevent integer overflow in AG size calculation", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: Prevent integer overflow in AG size calculation\n\nThe JFS filesystem calculates allocation group (AG) size using 1 <<\nl2agsize in dbExtendFS(). When l2agsize exceeds 31 (possible with >2TB\naggregates on 32-bit systems), this 32-bit shift operation causes undefined\nbehavior and improper AG sizing.\n\nOn 32-bit architectures:\n- Left-shifting 1 by 32+ bits results in 0 due to integer overflow\n- This creates invalid AG sizes (0 or garbage values) in\nsbi->bmap->db_agsize\n- Subsequent block allocations would reference invalid AG structures\n- Could lead to:\n - Filesystem corruption during extend operations\n - Kernel crashes due to invalid memory accesses\n - Security vulnerabilities via malformed on-disk structures\n\nFix by casting to s64 before shifting:\nbmp->db_agsize = (s64)1 << l2agsize;\n\nThis ensures 64-bit arithmetic even on 32-bit architectures. The cast\nmatches the data type of db_agsize (s64) and follows similar patterns in\nJFS block calculation code.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."}], "id": "CVE-2025-37858", "lastModified": "2025-05-09T07:16:06.827", "metrics": {}, "published": "2025-05-09T07:16:06.827", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/211ed8f5e39e61f9e4d18edd64ce8005a67a1b2a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3d8a45f87010a802aa214bf39702ca9d99cbf3ba"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/55edbf5dbf60a8195c21e92124c4028939ae16b2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7ccf3b35274512b60ecb614e0637e76bd6f2d829"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7fcbf789629cdb9fbf4e2172ce31136cfed11e5e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8bb29629a5e4090e1ef7199cb42db04a52802239"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c802a6a4009f585111f903e810b3be9c6d0da329"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dd07a985e2ded47b6c7d69fc93c1fe02977c8454"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ec34cdf4f917cc6abd306cf091f8b8361fedac88"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object