{"id":"AZL-64829","summary":"CVE-2025-38260 affecting package kernel for versions less than 6.6.96.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: handle csum tree error with rescue=ibadroots correctly\n\n[BUG]\nThere is syzbot based reproducer that can crash the kernel, with the\nfollowing call trace: (With some debug output added)\n\n DEBUG: rescue=ibadroots parsed\n BTRFS: device fsid 14d642db-7b15-43e4-81e6-4b8fac6a25f8 devid 1 transid 8 /dev/loop0 (7:0) scanned by repro (1010)\n BTRFS info (device loop0): first mount of filesystem 14d642db-7b15-43e4-81e6-4b8fac6a25f8\n BTRFS info (device loop0): using blake2b (blake2b-256-generic) checksum algorithm\n BTRFS info (device loop0): using free-space-tree\n BTRFS warning (device loop0): checksum verify failed on logical 5312512 mirror 1 wanted 0xb043382657aede36608fd3386d6b001692ff406164733d94e2d9a180412c6003 found 0x810ceb2bacb7f0f9eb2bf3b2b15c02af867cb35ad450898169f3b1f0bd818651 level 0\n DEBUG: read tree root path failed for tree csum, ret=-5\n BTRFS warning (device loop0): checksum verify failed on logical 5328896 mirror 1 wanted 0x51be4e8b303da58e6340226815b70e3a93592dac3f30dd510c7517454de8567a found 0x51be4e8b303da58e634022a315b70e3a93592dac3f30dd510c7517454de8567a level 0\n BTRFS warning (device loop0): checksum verify failed on logical 5292032 mirror 1 wanted 0x1924ccd683be9efc2fa98582ef58760e3848e9043db8649ee382681e220cdee4 found 0x0cb6184f6e8799d9f8cb335dccd1d1832da1071d12290dab3b85b587ecacca6e level 0\n process 'repro' launched './file2' with NULL argv: empty string added\n DEBUG: no csum root, idatacsums=0 ibadroots=134217728\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]\n CPU: 5 UID: 0 PID: 1010 Comm: repro Tainted: G           OE       6.15.0-custom+ #249 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022\n RIP: 0010:btrfs_lookup_csum+0x93/0x3d0 [btrfs]\n Call Trace:\n  \u003cTASK\u003e\n  btrfs_lookup_bio_sums+0x47a/0xdf0 [btrfs]\n  btrfs_submit_bbio+0x43e/0x1a80 [btrfs]\n  submit_one_bio+0xde/0x160 [btrfs]\n  btrfs_readahead+0x498/0x6a0 [btrfs]\n  read_pages+0x1c3/0xb20\n  page_cache_ra_order+0x4b5/0xc20\n  filemap_get_pages+0x2d3/0x19e0\n  filemap_read+0x314/0xde0\n  __kernel_read+0x35b/0x900\n  bprm_execve+0x62e/0x1140\n  do_execveat_common.isra.0+0x3fc/0x520\n  __x64_sys_execveat+0xdc/0x130\n  do_syscall_64+0x54/0x1d0\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nFirstly the fs has a corrupted csum tree root, thus to mount the fs we\nhave to go \"ro,rescue=ibadroots\" mount option.\n\nNormally with that mount option, a bad csum tree root should set\nBTRFS_FS_STATE_NO_DATA_CSUMS flag, so that any future data read will\nignore csum search.\n\nBut in this particular case, we have the following call trace that\ncaused NULL csum root, but not setting BTRFS_FS_STATE_NO_DATA_CSUMS:\n\nload_global_roots_objectid():\n\n\t\tret = btrfs_search_slot();\n\t\t/* Succeeded */\n\t\tbtrfs_item_key_to_cpu()\n\t\tfound = true;\n\t\t/* We found the root item for csum tree. */\n\t\troot = read_tree_root_path();\n\t\tif (IS_ERR(root)) {\n\t\t\tif (!btrfs_test_opt(fs_info, IGNOREBADROOTS))\n\t\t\t/*\n\t\t\t * Since we have rescue=ibadroots mount option,\n\t\t\t * @ret is still 0.\n\t\t\t */\n\t\t\tbreak;\n\tif (!found || ret) {\n\t\t/* @found is true, @ret is 0, error handling for csum\n\t\t * tree is skipped.\n\t\t */\n\t}\n\nThis means we completely skipped to set BTRFS_FS_STATE_NO_DATA_CSUMS if\nthe csum tree is corrupted, which results unexpected later csum lookup.\n\n[FIX]\nIf read_tree_root_path() failed, always populate @ret to the error\nnumber.\n\nAs at the end of the function, we need @ret to determine if we need to\ndo the extra error handling for csum tree.","modified":"2026-04-01T05:20:25.153932Z","published":"2025-07-09T11:15:28Z","upstream":["CVE-2025-38260"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38260"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.96.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64829.json"}}],"schema_version":"1.7.5"}