Close Menu
    DevStackTipsDevStackTips
    • Home
    • News & Updates
      1. Tech & Work
      2. View All

      8 Key Questions Every CEO Should Ask Before Hiring a Node.js Development Company in 2025

      July 11, 2025

      Vibe Loop: AI-native reliability engineering for the real world

      July 10, 2025

      Docker Compose gets new features for building and running agents

      July 10, 2025

      Why Enterprises Are Choosing AI-Driven React.js Development Companies in 2025

      July 10, 2025

      This discounted SSD fixed my gaming handheld’s biggest weakness — Extra storage space for Steam Deck, ASUS ROG Ally, and Lenovo Legion Go

      July 11, 2025

      These are the 5 Prime Day deals I’d buy if I weren’t about to have a baby

      July 11, 2025

      OpenAI’s $6.5 billion purchase fuels Sam Altman’s quest to build next-gen computers for “transcendentally good” AI — The biggest tech disruption since the iPhone?

      July 11, 2025

      Don’t miss out on the best ROG Ally accessory deals going on now — Improve your gaming handheld PC with a microSD card, power bank, dock, and more

      July 11, 2025
    • Development
      1. Algorithms & Data Structures
      2. Artificial Intelligence
      3. Back-End Development
      4. Databases
      5. Front-End Development
      6. Libraries & Frameworks
      7. Machine Learning
      8. Security
      9. Software Engineering
      10. Tools & IDEs
      11. Web Design
      12. Web Development
      13. Web Security
      14. Programming Languages
        • PHP
        • JavaScript
      Featured

      Regolith – A JavaScript library immune to ReDoS attacks

      July 11, 2025
      Recent

      Regolith – A JavaScript library immune to ReDoS attacks

      July 11, 2025

      Create Your Own Redux: Build a Custom State Management in React

      July 11, 2025

      Perficient Nagpur Celebrates Contentstack Implementation Certification Success!

      July 11, 2025
    • Operating Systems
      1. Windows
      2. Linux
      3. macOS
      Featured

      This discounted SSD fixed my gaming handheld’s biggest weakness — Extra storage space for Steam Deck, ASUS ROG Ally, and Lenovo Legion Go

      July 11, 2025
      Recent

      This discounted SSD fixed my gaming handheld’s biggest weakness — Extra storage space for Steam Deck, ASUS ROG Ally, and Lenovo Legion Go

      July 11, 2025

      These are the 5 Prime Day deals I’d buy if I weren’t about to have a baby

      July 11, 2025

      OpenAI’s $6.5 billion purchase fuels Sam Altman’s quest to build next-gen computers for “transcendentally good” AI — The biggest tech disruption since the iPhone?

      July 11, 2025
    • Learning Resources
      • Books
      • Cheatsheets
      • Tutorials & Guides
    Home»Security»Common Vulnerabilities and Exposures (CVEs)»CVE-2025-38347 – F2FS Inline Data Corruption Denial of Service (DoS) Vulnerability

    CVE-2025-38347 – F2FS Inline Data Corruption Denial of Service (DoS) Vulnerability

    July 10, 2025

    CVE ID : CVE-2025-38347

    Published : July 10, 2025, 9:15 a.m. | 4 hours, 51 minutes ago

    Description : In the Linux kernel, the following vulnerability has been resolved:

    f2fs: fix to do sanity check on ino and xnid

    syzbot reported a f2fs bug as below:

    INFO: task syz-executor140:5308 blocked for more than 143 seconds.
    Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0
    “echo 0 > /proc/sys/kernel/hung_task_timeout_secs” disables this message.
    task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006
    Call Trace:

    context_switch kernel/sched/core.c:5378 [inline]
    __schedule+0x190e/0x4c90 kernel/sched/core.c:6765
    __schedule_loop kernel/sched/core.c:6842 [inline]
    schedule+0x14b/0x320 kernel/sched/core.c:6857
    io_schedule+0x8d/0x110 kernel/sched/core.c:7690
    folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317
    __folio_lock mm/filemap.c:1664 [inline]
    folio_lock include/linux/pagemap.h:1163 [inline]
    __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917
    pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87
    find_get_page_flags include/linux/pagemap.h:842 [inline]
    f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776
    __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463
    read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306
    lookup_all_xattrs fs/f2fs/xattr.c:355 [inline]
    f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533
    __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179
    f2fs_acl_create fs/f2fs/acl.c:375 [inline]
    f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418
    f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539
    f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666
    f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765
    f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808
    f2fs_add_link fs/f2fs/f2fs.h:3616 [inline]
    f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766
    vfs_mknod+0x36d/0x3b0 fs/namei.c:4191
    unix_bind_bsd net/unix/af_unix.c:1286 [inline]
    unix_bind+0x563/0xe30 net/unix/af_unix.c:1379
    __sys_bind_socket net/socket.c:1817 [inline]
    __sys_bind+0x1e4/0x290 net/socket.c:1848
    __do_sys_bind net/socket.c:1853 [inline]
    __se_sys_bind net/socket.c:1851 [inline]
    __x64_sys_bind+0x7a/0x90 net/socket.c:1851
    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

    Let’s dump and check metadata of corrupted inode, it shows its xattr_nid
    is the same to its i_ino.

    dump.f2fs -i 3 chaseyu.img.raw
    i_xattr_nid [0x 3 : 3]

    So that, during mknod in the corrupted directory, it tries to get and
    lock inode page twice, result in deadlock.

    – f2fs_mknod
    – f2fs_add_inline_entry
    – f2fs_get_inode_page — lock dir’s inode page
    – f2fs_init_acl
    – f2fs_acl_create(dir,..)
    – __f2fs_get_acl
    – f2fs_getxattr
    – lookup_all_xattrs
    – __get_node_page — try to lock dir’s inode page

    In order to fix this, let’s add sanity check on ino and xnid.

    Severity: 0.0 | NA

    Visit the link for more details, such as CVSS details, affected products, timeline, and more…

    Source: Read More

    Facebook Twitter Reddit Email Copy Link
    Previous ArticleCVE-2025-3396 – GitLab EE API Request Forgery Vulnerability
    Next Article CVE-2025-38348 – “Intersil p54 WiFi Interface Buffer Overflow Vulnerability”

    Related Posts

    Development

    Chrome Zero-Day CVE-2025-6554 Under Active Attack — Google Issues Security Update

    July 11, 2025
    Development

    Critical Vulnerability in Anthropic’s MCP Exposes Developer Machines to Remote Exploits

    July 11, 2025
    Leave A Reply Cancel Reply

    For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

    Continue Reading

    CVE-2025-1531 – Hitachi Ops Center Analyzer Viewpoint Authentication Credentials Leakage

    Common Vulnerabilities and Exposures (CVEs)

    CVE-2025-46569 – Open Policy Agent (OPA) HTTP Data API Code Injection Vulnerability

    Common Vulnerabilities and Exposures (CVEs)

    CVE-2025-2523 – “Honeywell Experion PKS and OneWireless WDM Integer Underflow Vulnerability Allows Remote Code Execution”

    Common Vulnerabilities and Exposures (CVEs)

    Add Apple CarPlay or Android Auto to your older car with this screen – and it’s on sale

    News & Updates

    Highlights

    CVE-2025-22241 – Apache Ansible VirtKey Directory Traversal Vulnerability

    June 13, 2025

    CVE ID : CVE-2025-22241

    Published : June 13, 2025, 7:15 a.m. | 2 hours, 49 minutes ago

    Description : File contents overwrite the VirtKey class is called when “on-demand pillar” data is requested and uses un-validated input to create paths to the “pki directory”. The functionality is used to auto-accept Minion authentication keys based on a pre-placed “authorization file” at a specific location and is present in the default configuration.

    Severity: 5.6 | MEDIUM

    Visit the link for more details, such as CVSS details, affected products, timeline, and more…

    Microsoft Edge for Android may suggest SteamDB extension when visiting Steam

    June 25, 2025

    CVE-2025-49260 – ThemBay Aora PHP Remote File Inclusion Vulnerability

    June 17, 2025

    JavaScript Weekly Insights #20: Latest Frameworks, Tools & Trends

    April 4, 2025
    © DevStackTips 2025. All rights reserved.
    • Contact
    • Privacy Policy

    Type above and press Enter to search. Press Esc to cancel.