Vulnerability Details
Basic Information
| Title | CVE-2025-37858 |
|---|---|
| Type | cve |
| Published | 2025-05-09T07:16:06 |
| Last Seen | 2025-05-09T07:28:34 |
| CVSS Score | 0.0 () |
CVSS v3 Details
| Attack Vector | |
|---|---|
| Attack Complexity | |
| Privileges Required | |
| User Interaction | |
| Scope | |
| Confidentiality Impact | |
| Integrity Impact | |
| Availability Impact |
CVE Information
| CVE IDs | CVE-2025-37858 |
|---|---|
| CWE | |
| Bulletin Family | cve |
Description
fs/jfs: Prevent integer overflow in AG size calculation
The JFS filesystem calculates allocation group (AG) size using 1 <<
l2agsize in dbExtendFS(). When l2agsize exceeds 31 (possible with >2TB
aggregates on 32-bit systems), this 32-bit shift operation causes undefined
behavior and improper AG sizing.
On 32-bit architectures:
– Left-shifting 1 by 32+ bits results in 0 due to integer overflow
– This creates invalid AG sizes (0 or garbage values) in
sbi->bmap->db_agsize
– Subsequent block allocations would reference invalid AG structures
– Could lead to:
– Filesystem corruption during extend operations
– Kernel crashes due to invalid memory accesses
– Security vulnerabilities via malformed on-disk structures
Fix by casting to s64 before shifting:
bmp->db_agsize = (s64)1 << l2agsize;
This ensures 64-bit arithmetic even on 32-bit architectures. The cast
matches the data type of db_agsize (s64) and follows similar patterns in
JFS block calculation code.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Impact Assessment
| Base Score | 0.0 |
|---|---|
| Severity |