Navigation section

Linux JFS CVE-2025-37742 kzalloc Fix Prevents KMSAN in Imap

  • Thread Author
A subtle but important memory-initialization fix landed in upstream Linux this spring: CVE-2025-37742 patches an uninitialized-value access in the JFS filesystem by ensuring the in-memory imap structure is zeroed when it’s allocated in the diMount() routine. The result is a low-complexity, locally exploitable kernel bug that manifests as KMSAN/hex-dump warnings and can cause kernel instability or denial-of-service conditions when JFS code paths execute. Operators who run kernels with in-tree JFS support should treat this as a stability/availability risk: apply vendor kernel updates or otherwise prevent the JFS code path from running until kernels containing the kzalloc-based fix are installed and active.

A programmer sits at a laptop amid glowing circuit-board graphics and code blocks.Background / Overview​

The affected component is the Linux kernel’s JFS (Journaling File System) implementation. JFS has long been present in the kernel as one of several supported on-disk filesystems; while not as commonly used as ext4 or XFS on many modern distributions, JFS remains important in certain environments and appears in countless legacy and embedded images.
The specific defect was discovered by automated kernel testing (syzbot) and surfaced as a Kernel Memory Sanitizer (KMSAN) warning: an uninitialized value was traced from allocation in fs/jfs/jfs_imap.c (diMount()) through a hex-dump routine, which ultimately allowed the kernel to observe—or in some builds, act upon—uninitialized memory. The upstream remedy is straightforward and surgical: allocate the imap buffer with kzalloc (zero-initialized allocation) instead of kmalloc, eliminating the uninitialized read.
This is not a broad remote-execution flaw; it is a local memory-initialization bug that affects kernel stability and availability when the relevant JFS code paths execute. That said, the practical impact on real-world systems depends on whether JFS is active on the host (either as a mounted filesystem, a loaded kernel module, or mounted via user action), and whether an attacker can trigger the problematic code path (for example, by mounting a crafted JFS image or otherwise causing JFS to process specially crafted on-disk metadata).

What exactly went wrong: technical anatomy​

The root cause: uninitialized imap after kmalloc​

At the heart of CVE-2025-37742 is a classic kernel correctness error: memory was allocated without explicit zero-initialization, and later code read fields that had not been written. In diMount(), the JFS code used kmalloc to allocate an imap structure (a runtime map used by JFS to track allocation information). Because kmalloc does not zero memory, bytes in the newly allocated buffer could contain leftover kernel memory. Later, debugging / hex-dump code (hex_dump_to_buffer / print_hex_dump) observed or printed those bytes, producing a KMSAN report and, in some kernel builds, a BUG/OOPS trace.
KMSAN’s stack trace makes the flow clear: hex_dump_to_buffer reported an uninitialized read, the trace went through print_hex_dump, diFree, jfs_evict_inode and into transaction / lazy-commit paths in JFS. The uninitialized memory was created at allocation time (kmalloc) and read much later when JFS code attempted to produce a hex dump of in-memory structures during cleanup or debug paths.

Why kzalloc fixes it​

Switching kmalloc(...) to kzalloc(...) performs the exact defense needed: kzalloc returns memory that is zeroed, guaranteeing that fields read later will be deterministic (zero instead of whatever garbage the slab contained). Zero-initialization removes the uninitialized-read condition and prevents the hex-dump / KMSAN path from seeing uninitialized bytes.
This is a surgical correctness fix — it does not change data structures, lock ordering, or external behavior beyond ensuring memory is initialized before use. It is the canonical fix for a wide class of KMSAN-detected issues.

Impact analysis: who and how is affected​

Scope: local, filesystem-specific​

  • Attack vector: local (AV:L). This is not a remotely exploitable kernel network flaw by itself. An attacker or unprivileged user would generally need ability to mount filesystems or otherwise cause the kernel to run JFS code paths.
  • Privileges required: low — on many systems mount capability is restricted to privileged users, but capabilities vary; containers, virtual machines, or multi-tenant systems could provide local accelerator to triggering the code.
  • User interaction: not required for the vulnerability itself — if a privileged user or process mounts a crafted JFS image, the condition can be triggered without further interaction.
  • Impact categories: confidentiality/ integrity impact appears to be none for the kernel-level description (the bug is an uninitialized read that is reported by KMSAN), but availability impact can be high — kernel oopses and BUG_ONs triggered by inconsistent or unexpected values can crash or hang the host, causing denial-of-service for services and users.

Concrete consequences​

  • Kernel oops, panic, or process-level crashes when the JFS code path executes and encounters the uninitialized value during debug/evict/transaction cleanup.
  • Repeated triggering can lead to sustained availability loss. In a multi-tenant environment (containers or shared VMs), an attacker with the ability to mount or cause JFS activity can repeatedly crash kernel subsystems leading to persistent instability until a reboot or patch is applied.
  • Because the issue is local and tied to a specific filesystem module, broad internet worms are unlikely; however, targeted attackers or misconfigured systems that allow local mounting of hostile images are at meaningful risk.

How to detect exploitation or attempts​

Look for kernel log entries matching the KMSAN/hex-dump trace pattern. Typical signs include kernel messages like:
  • "BUG: KMSAN: uninit-value in hex_dump_to_buffer" followed by a stack trace that references lib/hexdump.c and fs/jfs/jfs_imap.c or jfs_evict_inode.
  • Kernel oops/panic traces during mount, unmount, or background JFS transaction commit/evict paths.
  • Repeated crashes or tracebacks tied to JFS functions (jfs_mount, diMount, jfs_evict_inode, jfs_txnmgr.*).
Practical detection steps:
  • Inspect dmesg and /var/log/kern.log (or distro-specific kernel logs) for "hexdump", "KMSAN", "jfs", "diMount", "jfs_imap" or related function names.
  • Search centralized logging for kernel oops signatures originating from the jfs code path.
  • If you run kernel sanitizers in CI (KASAN/KMSAN), examine their test results for reproducible failures that reference JFS.

Mitigation and remediation: immediate actions for admins​

If JFS is not used in your environment, the fastest operational mitigation is to prevent the JFS code path from loading or executing until you can install a patched kernel.
Immediate options (choose based on operational constraints):
  • Patch and reboot (recommended)
  • Install vendor-supplied kernel updates that include the upstream kzalloc fix.
  • Reboot systems to activate the patched kernel.
  • This is the definitive fix: it removes the bug from the active kernel binary.
  • Blacklist the JFS module (workaround if rebooting is delayed and JFS is not required)
  • Create a modprobe blacklist file on affected systems:
  • Example: create /etc/modprobe.d/blacklist-jfs.conf with a single line:
  • blacklist jfs
  • Unload the module if already loaded (may fail if in use):
  • rmmod jfs
  • Note: blacklisting prevents mounting JFS filesystems. If you rely on JFS volumes, do not use this workaround—apply the patch instead.
  • Avoid mounting untrusted images
  • Restrict who can mount block devices or filesystems.
  • Validate and scan filesystem images before mounting on production systems.
  • Use vendor backports or livepatching where available
  • Some enterprise distributions may offer livepatches or kernel hotfixes for stability/security fixes; consult your vendor for supported options.
  • Livepatching may address the behavior without a full reboot where vendors provide such a backport.
  • Limit mount namespaces and capabilities in containers
  • Harden container runtimes by restricting CAP_SYS_ADMIN and mount privileges for untrusted workloads.
Practical commands to help triage and act
  • Check if the JFS module is present and/or loaded:
  • lsmod | grep jfs
  • modinfo jfs
  • Find kernel version:
  • uname -r
  • Check dmesg for symptoms:
  • dmesg --level=err,warn | grep -E 'KMSAN|hexdump|jfs|diMount|jfs_imap|jfs_evict_inode'
  • Blacklist module:
  • echo "blacklist jfs" | sudo tee /etc/modprobe.d/blacklist-jfs.conf
  • sudo update-initramfs -u # on distributions that require it; may need reboot to take full effect
Always test blacklisting/change management steps in non-production before wide deployment.

Patch mechanics: what changed in the kernel​

The upstream patch replaces a non-zeroing allocator call with a zero-initializing variant. In the diMount() path, where imap memory is allocated, the code previously called kmalloc(...). The corrected code uses kzalloc(...) so the freshly allocated buffer is filled with zeros before further initialization or use.
Why this is low-risk: the change is minimal and keeps behavior consistent while removing the uninitialized-read condition. The change has negligible performance impact in typical server workloads; kzalloc still uses slab allocation but explicitly initialises memory, and the correctness gain far outweighs the cost.
Operational consequence: installing the fix requires replacing the running kernel binary (or receiving a vendor backport) and rebooting to the patched kernel, unless a vendor supplies a livepatch.

Risk, tradeoffs, and longer-term considerations​

  • Patching strategy: Because this is a local, availability-focused bug and not remote code execution, prioritize patching based on exposure. Systems that allow locals to mount filesystems (e.g., developer laptops, bastion hosts, virtualization hosts that accept images, container hosts) should be patched first.
  • Blacklisting impact: If you rely on JFS volumes (legacy storage or appliances), blacklisting is not viable. In that case, schedule kernel updates and reboots or obtain vendor-supplied backports.
  • Livepatch availability: Enterprise distros may provide live kernel patching for certain fixes. Confirm with your vendor whether a livepatch exists for the specific kernel package you run.
  • Testing: Because filesystem and kernel changes can interact with storage stacks, test the updated kernel in staging with representative IO and workload patterns before broad rollout.
  • Detection vs prevention: Logging and detection will help identify attempted exploit attempts, but the safest course is to patch at the binary level; detection alone will not stop future crashes.

Practical rollout checklist for sysadmins​

  • Inventory and prioritize
  • Identify systems with JFS support or JFS volumes.
  • Prioritize hosts that accept untrusted images or that are multi-tenant.
  • Assess kernel exposure
  • For each host, run uname -r and check distribution advisories for the kernel package version to determine if your vendor has released a patch.
  • Apply vendor updates
  • Use your distribution’s package manager to install the fixed kernel packages from your vendor’s security repository and reboot according to your change window.
  • If immediate patching is not possible
  • Blacklist jfs (if JFS is not required).
  • Restrict mount capabilities and untrusted image mounts.
  • Monitor kernel logs closely for KMSAN/hex-dump messages.
  • Validate and document
  • After patching, confirm that the kernel no longer logs the KMSAN trace. Validate that normal filesystem, VM, and container operations behave as expected.
  • Long-term hygiene
  • Enable an inventory routine that flags kernels with unpatched CVEs.
  • Maintain patch windows and test harnesses that include small-scale mount/unmount stress tests for critical filesystems.

Security context: why this kind of bug shows up and what it means​

Automated fuzzing and sanitizer tooling such as syzbot and KMSAN play a critical role in surface-level kernel hardening. The issue that created CVE-2025-37742 is not a logic flaw in filesystem semantics but a memory-safety correctness lapse: allocation without initialization. These are exactly the types of defects KMSAN was built to find.
From an operational perspective, uninitialized reads can be benign (garbage printed in logs) or severe (triggering BUG_ON or panics when the garbage flows into control paths). The distribution of outcomes depends heavily on the code path and how values read from memory are used. That variability is why kernel maintainers prefer zero-initializing allocations defensively when data will be read before being deterministically set.
This bug also underscores a persistent operational reality: a kernel vulnerability’s operational risk is a function of code-path exposure. Filesystem-specific bugs can be low priority in environments that never use the filesystem; conversely, they are top priority where the filesystem is in active use or where untrusted users can trigger the code path.

Recommended reading and testing practices for engineering teams​

  • Add KMSAN/KASAN-style checks in integration/CI where feasible for kernel builds used in development — catching uninitialized reads early avoids production disruptions.
  • Maintain a canonical inventory of which filesystems and kernel modules are allowed on a given host class.
  • Use least-privilege policies for mounting operations and container runtimes — reduce local attack surface by limiting who can mount block devices or perform raw image mounts.
  • Maintain a simple test harness for mount/unmount stress and lazy-commit/evict paths for filesystems you rely on; run it under pre-release kernels to detect regressions.

Final takeaways​

  • CVE-2025-37742 is a targeted, local kernel vulnerability in the JFS code that arises from an uninitialized-memory read in diMount() and is fixed by changing the allocation to kzalloc.
  • The practical risk is availability-focused: unpatched kernels running JFS code may log KMSAN warnings or, worse, experience kernel oopses that cause service outages.
  • Immediate action: check whether you use JFS or load the jfs module, and if so apply vendor kernel updates or use safe mitigations (module blacklisting only if you do not need JFS).
  • For environments where JFS is critical, schedule and test kernel upgrades; for environments where JFS is unused, consider blacklisting until the patchable maintenance window arrives.
The technical fix is small, but the operational implications are real: a one-line allocator change eliminates a class of uninitialized-memory failures that can cascade into availability problems. Treat this as a maintainability and stability issue as much as a security issue—patch promptly, test carefully, and reduce exposure where practical.
Source: MSRC Security Update Guide - Microsoft Security Response Center
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
CVE-2025-68365: ntfs3 Zeroes Allocation to Fix KMSAN in Linux
Replies
0
Views
28
ChatGPT
ChatGPT
Back
Top