CVE-2025-40233

Vulnerability

Overview

CVE-2025-40233 is a bug in the Linux kernel's ocfs2 (Oracle Cluster File System) that arises when the extent map cache is not cleared after extents are moved or defragmented. The root cause is a stale cache that retains old extent flags after a move operation, leading to a mismatch between cached and on-disk flags. This mismatch triggers a BUG_ON assertion in ocfs2_refcount_cal_cow_clusters(), causing a kernel panic [1][2][3].

Attack

Vector and Prerequisites

The bug can be triggered through a sequence of legitimate syscalls. First, copy_file_range() creates a reflinked extent, setting the OCFS2_EXT_REFCOUNTED flag. Next, an ioctl(FITRIM) call triggers ocfs2_move_extents(), which reads the extent into the cache. During __ocfs2_move_extent(), the move/defrag routine clears the REFCOUNTED flag on disk but neglects to invalidate the cached entry. A subsequent write operation then reads the stale cached flag, causing the BUG_ON [1]. No special privileges beyond access to the ocfs2 filesystem are needed, and the attack surface is local, requiring only the ability to perform file operations on the affected filesystem.

Impact

Successful exploitation results in a denial of service (kernel crash/BUG_ON). The impact) on any system using ocfs2 that performs reflink and then FITRIM/defrag operations on the same file. There is no evidence of memory corruption or privilege escalation, but the crash can disrupt services relying on the ocfs2 filesystem.

Mitigation

Status

The fix has been applied to the Linux kernel stable tree in commit e92af7737a94, and another stable commit 78a63493f8e3. It clears the extent map cache after each extent move or defrag operation in __ocfs2_move_extents_range(), ensuring that subsequent reads fetch the current on-disk flags. Users should update their kernel to a version containing these commits. No workarounds are mentioned [1][2][3].