ext4: fix string copying in parse_apply_sb_mount_options()
Summary
| CVE | CVE-2025-71123 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-01-14 15:16:02 UTC |
| Updated | 2026-07-14 13:18:03 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in parse_apply_sb_mount_options() strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term string of possibly bigger size. Commit 0efc5990bca5 ("string.h: Introduce memtostr() and memtostr_pad()") provides additional information in that regard. So if this happens, the following warning is observed: strnlen: detected buffer overflow: 65 byte read of buffer size 64 WARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Modules linked in: CPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Call Trace: <TASK> __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039 strnlen include/linux/fortify-string.h:235 [inline] sized_strscpy include/linux/fortify-string.h:309 [inline] parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline] __ext4_fill_super fs/ext4/super.c:5261 [inline] ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706 get_tree_bdev_flags+0x387/0x620 fs/super.c:1636 vfs_get_tree+0x93/0x380 fs/super.c:1814 do_new_mount fs/namespace.c:3553 [inline] path_mount+0x6ae/0x1f70 fs/namespace.c:3880 do_mount fs/namespace.c:3893 [inline] __do_sys_mount fs/namespace.c:4103 [inline] __se_sys_mount fs/namespace.c:4080 [inline] __x64_sys_mount+0x280/0x300 fs/namespace.c:4080 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e Since userspace is expected to provide s_mount_opts field to be at most 63 characters long with the ending byte being NUL-term, use a 64-byte buffer which matches the size of s_mount_opts, so that strscpy_pad() does its job properly. Return with error if the user still managed to provide a non-NUL-term string here. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. |
Risk And Classification
Primary CVSS: v3.1 7.8 HIGH from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Problem Types: NVD-CWE-noinfo
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected b2bac84fde28fb6a88817b8b761abda17a1d300b 52ac96c4a2dd7bc47666000440b0602d9742e820 git | Not specified |
| CNA | Linux | Linux | affected e651294218d2684302ee5ed95ccf381646f3e5b4 6e37143560e37869d51b7d9e0ac61fc48895f8a0 git | Not specified |
| CNA | Linux | Linux | affected 01829af7656b56d83682b3491265d583d502e502 902ca2356f1e3ec5355c5808ad5d3f9d0095b0cc git | Not specified |
| CNA | Linux | Linux | affected 2a0cf438320cdb783e0378570744c0ef0d83e934 db9ee13fab0267eccf6544ee35b16c9522db9aac git | Not specified |
| CNA | Linux | Linux | affected 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 5bbacbbf1ca4419861dca3c6b82707c10e9c021c git | Not specified |
| CNA | Linux | Linux | affected 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 ee5a977b4e771cc181f39d504426dbd31ed701cc git | Not specified |
| CNA | Linux | Linux | affected 7bf46ff83a0ef11836e38ebd72cdc5107209342d git | Not specified |
| CNA | Linux | Linux | affected a6e94557cd05adc82fae0400f6e17745563e5412 git | Not specified |
| CNA | Linux | Linux | affected 5.10.246 5.10.248 semver | Not specified |
| CNA | Linux | Linux | affected 6.1.158 6.1.160 semver | Not specified |
| CNA | Linux | Linux | affected 6.6.114 6.6.120 semver | Not specified |
| CNA | Linux | Linux | affected 6.12.54 6.12.64 semver | Not specified |
| CNA | Linux | Linux | affected 5.4.301 5.5 semver | Not specified |
| CNA | Linux | Linux | affected 6.17.4 6.18 semver | Not specified |
| CNA | Linux | Linux | affected 6.18 | Not specified |
| CNA | Linux | Linux | unaffected 6.18 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.248 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.160 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.120 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.64 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.3 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19 * original_commit_for_fix | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.6 * custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.6 * custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP | affected V3.1.6 * custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP | affected V3.1.6 * custom | Not specified |
| ADP | Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.6 * custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/ee5a977b4e771cc181f39d504426dbd31ed701cc | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/db9ee13fab0267eccf6544ee35b16c9522db9aac | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/902ca2356f1e3ec5355c5808ad5d3f9d0095b0cc | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| cert-portal.siemens.com/productcert/html/ssa-019113.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| git.kernel.org/stable/c/52ac96c4a2dd7bc47666000440b0602d9742e820 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/5bbacbbf1ca4419861dca3c6b82707c10e9c021c | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/6e37143560e37869d51b7d9e0ac61fc48895f8a0 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.