{"id":"AZL-64746","summary":"CVE-2025-38222 affecting package kernel for versions less than 6.6.96.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: inline: fix len overflow in ext4_prepare_inline_data\n\nWhen running the following code on an ext4 filesystem with inline_data\nfeature enabled, it will lead to the bug below.\n\n        fd = open(\"file1\", O_RDWR | O_CREAT | O_TRUNC, 0666);\n        ftruncate(fd, 30);\n        pwrite(fd, \"a\", 1, (1UL \u003c\u003c 40) + 5UL);\n\nThat happens because write_begin will succeed as when\next4_generic_write_inline_data calls ext4_prepare_inline_data, pos + len\nwill be truncated, leading to ext4_prepare_inline_data parameter to be 6\ninstead of 0x10000000006.\n\nThen, later when write_end is called, we hit:\n\n        BUG_ON(pos + len \u003e EXT4_I(inode)-\u003ei_inline_size);\n\nat ext4_write_inline_data.\n\nFix it by using a loff_t type for the len parameter in\next4_prepare_inline_data instead of an unsigned int.\n\n[   44.545164] ------------[ cut here ]------------\n[   44.545530] kernel BUG at fs/ext4/inline.c:240!\n[   44.545834] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[   44.546172] CPU: 3 UID: 0 PID: 343 Comm: test Not tainted 6.15.0-rc2-00003-g9080916f4863 #45 PREEMPT(full)  112853fcebfdb93254270a7959841d2c6aa2c8bb\n[   44.546523] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[   44.546523] RIP: 0010:ext4_write_inline_data+0xfe/0x100\n[   44.546523] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b \u003c0f\u003e 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49\n[   44.546523] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216\n[   44.546523] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006\n[   44.546523] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738\n[   44.546523] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\n[   44.546523] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000\n[   44.546523] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738\n[   44.546523] FS:  00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000\n[   44.546523] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   44.546523] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0\n[   44.546523] PKRU: 55555554\n[   44.546523] Call Trace:\n[   44.546523]  \u003cTASK\u003e\n[   44.546523]  ext4_write_inline_data_end+0x126/0x2d0\n[   44.546523]  generic_perform_write+0x17e/0x270\n[   44.546523]  ext4_buffered_write_iter+0xc8/0x170\n[   44.546523]  vfs_write+0x2be/0x3e0\n[   44.546523]  __x64_sys_pwrite64+0x6d/0xc0\n[   44.546523]  do_syscall_64+0x6a/0xf0\n[   44.546523]  ? __wake_up+0x89/0xb0\n[   44.546523]  ? xas_find+0x72/0x1c0\n[   44.546523]  ? next_uptodate_folio+0x317/0x330\n[   44.546523]  ? set_pte_range+0x1a6/0x270\n[   44.546523]  ? filemap_map_pages+0x6ee/0x840\n[   44.546523]  ? ext4_setattr+0x2fa/0x750\n[   44.546523]  ? do_pte_missing+0x128/0xf70\n[   44.546523]  ? security_inode_post_setattr+0x3e/0xd0\n[   44.546523]  ? ___pte_offset_map+0x19/0x100\n[   44.546523]  ? handle_mm_fault+0x721/0xa10\n[   44.546523]  ? do_user_addr_fault+0x197/0x730\n[   44.546523]  ? do_syscall_64+0x76/0xf0\n[   44.546523]  ? arch_exit_to_user_mode_prepare+0x1e/0x60\n[   44.546523]  ? irqentry_exit_to_user_mode+0x79/0x90\n[   44.546523]  entry_SYSCALL_64_after_hwframe+0x55/0x5d\n[   44.546523] RIP: 0033:0x7f42999c6687\n[   44.546523] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 \u003c5b\u003e c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff\n[   44.546523] RSP: 002b:00007ffeae4a7930 EFLAGS: 00000202 ORIG_RAX: 0000000000000012\n[   44.546523] RAX: ffffffffffffffda RBX: 00007f4299934740 RCX: 00007f42999c6687\n[   44.546523] RDX: 0000000000000001 RSI: 000055ea6149200f RDI: 0000000000000003\n[   44.546523] RBP: 00007ffeae4a79a0 R08: 0000000000000000 R09: 0000000000000000\n[   44.546523] R10: 0000010000000005 R11: 0000000000000202 R12: 0000\n---truncated---","modified":"2026-04-01T05:20:50.456341Z","published":"2025-07-04T14:15:30Z","upstream":["CVE-2025-38222"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38222"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.96.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64746.json"}}],"schema_version":"1.7.5"}