{"id":"CVE-2025-40306","summary":"orangefs: fix xattr related buffer overflow...","details":"In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: fix xattr related buffer overflow...\n\nWilly Tarreau \u003cw@1wt.eu\u003e forwarded me a message from\nDisclosure \u003cdisclosure@aisle.com\u003e with the following\nwarning:\n\n\u003e The helper `xattr_key()` uses the pointer variable in the loop condition\n\u003e rather than dereferencing it. As `key` is incremented, it remains non-NULL\n\u003e (until it runs into unmapped memory), so the loop does not terminate on\n\u003e valid C strings and will walk memory indefinitely, consuming CPU or hanging\n\u003e the thread.\n\nI easily reproduced this with setfattr and getfattr, causing a kernel\noops, hung user processes and corrupted orangefs files. Disclosure\nsent along a diff (not a patch) with a suggested fix, which I based\nthis patch on.\n\nAfter xattr_key started working right, xfstest generic/069 exposed an\nxattr related memory leak that lead to OOM. xattr_key returns\na hashed key.  When adding xattrs to the orangefs xattr cache, orangefs\nused hash_add, a kernel hashing macro. hash_add also hashes the key using\nhash_log which resulted in additions to the xattr cache going to the wrong\nhash bucket. generic/069 tortures a single file and orangefs does a\ngetattr for the xattr \"security.capability\" every time. Orangefs\nnegative caches on xattrs which includes a kmalloc. Since adds to the\nxattr cache were going to the wrong bucket, every getattr for\n\"security.capability\" resulted in another kmalloc, none of which were\never freed.\n\nI changed the two uses of hash_add to hlist_add_head instead\nand the memory leak ceased and generic/069 quit throwing furniture.","modified":"2026-03-31T17:29:37.855906420Z","published":"2025-12-08T00:46:31.514Z","related":["MGASA-2026-0017","MGASA-2026-0018","SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40306.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/025e880759c279ec64d0f754fe65bf45961da864"},{"type":"WEB","url":"https://git.kernel.org/stable/c/15afebb9597449c444801d1ff0b8d8b311f950ab"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9127d1e90c90e5960c8bc72a4ce2c209691a7021"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bc812574de633cf9a9ad6974490e45f6a4bb5126"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c2ca015ac109fd743fdde27933d59dc5ad46658e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c6564ff6b53c9a8dc786b6f1c51ae7688273f931"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e09a096104fc65859422817fb2211f35855983fe"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ef892d2bf4f3fa2c8de1677dd307e678bdd3d865"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40306.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40306"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f7ab093f74bf638ed98fd1115f3efa17e308bb7f"},{"fixed":"c6564ff6b53c9a8dc786b6f1c51ae7688273f931"},{"fixed":"ef892d2bf4f3fa2c8de1677dd307e678bdd3d865"},{"fixed":"15afebb9597449c444801d1ff0b8d8b311f950ab"},{"fixed":"bc812574de633cf9a9ad6974490e45f6a4bb5126"},{"fixed":"e09a096104fc65859422817fb2211f35855983fe"},{"fixed":"9127d1e90c90e5960c8bc72a4ce2c209691a7021"},{"fixed":"c2ca015ac109fd743fdde27933d59dc5ad46658e"},{"fixed":"025e880759c279ec64d0f754fe65bf45961da864"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40306.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.6.0"},{"fixed":"5.4.302"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.247"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.197"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.159"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.117"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.58"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.8"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40306.json"}}],"schema_version":"1.7.5"}