CVE-2025-21964: Linux Kernel Vulnerability - cifs Integer Overflow Fixed

A recently discovered vulnerability found in the Linux kernel's Common Internet File System (CIFS) implementation has finally been resolved. The issue, identified as CVE-2025-21964, affects the Linux kernel's handling of the "acregmax" mount option, potentially leading to an integer overflow. This vulnerability was found by the Linux Verification Center (linuxtesting.org) while using SVACE, a static analysis tool.

The Bug: CVE-2025-21964

When configuring a mount using the CIFS file system, an "acregmax" mount option can be set. This option specifies the maximum time attributes should be cached for a file before the server checks the file again for any changes. The acregmax parameter is of type u32, meaning it has a limit to the value it can accept. However, before this validation occurs, the value provided by the user is converted from seconds to jiffies, potentially resulting in an integer overflow due to this conversion.

The Linux kernel code with the vulnerability is shown below

static int cifs_parse_security_flavors(struct smb_vol *vol)
{
  ...
  if (acregmax)
      vol->acregmax = (*acregmax) * HZ;
  ...
}

In this code snippet, *acregmax is a user-provided variable, and HZ is a predefined constant in Linux kernel header files representing the number of jiffies per second. When the user-provided *acregmax is multiplied by HZ, the resulting vol->acregmax could overflow if the user enters an inappropriate value for the acregmax parameter.

References

- Original report: sourceware.org
- Linux kernel source code: kernel.org

A patch has been applied to fix this vulnerability, as shown below

static int cifs_parse_security_flavors(struct smb_vol *vol)
{
  ...
  if (acregmax)
      vol->acregmax = min_t(u32, ULONG_MAX/HZ, (*acregmax)) * HZ;
  ...
}

This patch adds a check on the user-provided value of *acregmax, limiting it to ULONG_MAX/HZ (the maximum value of vol->acregmax without overflowing). This ensures that the product of (*acregmax) and HZ remains within the range of u32, preventing the potential integer overflow.

Conclusion

The vulnerability CVE-2025-21964 in the Linux kernel's CIFS implementation has been identified and resolved. Users are urged to update their Linux kernel with the latest patch to protect against potential exploitation of this integer overflow vulnerability. Special thanks to the Linux Verification Center (linuxtesting.org) for discovering and reporting this issue.

Timeline

Published on: 04/01/2025 16:15:27 UTC
Last modified on: 05/04/2025 07:25:54 UTC