CVE-2025-21646 - Linux Kernel AFS Vulnerability: Fixing the Maximum Cell Name Length

In the Linux kernel, the kafs filesystem has had a vulnerability (CVE-2025-21646) related to the maximum cell name length. This vulnerability can cause a failure to create a directory under /proc/net/afs/ with the name of the cell, triggering a warning due to procfs limits. This article will analyze the problem, discuss the possible consequences and present the solution to resolve the issue.

Understanding the Problem

A cell name in the kafs filesystem can be up to 256 bytes long. However, creating a directory with this maximum length in /proc/net/afs/ will fail and raise a warning as procfs only accepts a maximum filename length of up to 255 bytes. Moreover, the DNS has a maximum lookup length limited to 255 bytes, reducing the possible cell name length to 253. This inconsistency between kafs and procfs limits cause the mentioned vulnerability in the Linux kernel.

Code Snippet Highlighting the Issue

WARNING: CPU:  PID: 9 at fs/proc/generic.c:405

To fix CVE-2025-21646, a two-fold approach is considered

1. Limit the maximum acceptable cell name length to 253 bytes, aligning it with the DNS lookup length and ensuring the creation of the "/afs/./" mountpoint.
2. Adjust the YFS VL record cell name maximum length to 256 (as per protocol) and ignore the record retrieved by YFSVL.GetCellName if it exceeds 253 bytes.

Original References

Linux Kernel Mailing List - This link provides the mailing list post that first introduced and discussed the vulnerability and proposed patch.
Linux Kernel Git Commit - This link provides the actual git commit of the fix being applied to the Linux kernel source code.

Exploit Details

This vulnerability has been assigned the identifier CVE-2025-21646. It affects the Linux kernel's kafs filesystem when handling maximum cell name lengths. Left unpatched, it could lead to filesystem directory creation failures and system warnings.

To exploit this vulnerability, an attacker would need to create a cell with a name that is at its maximum length (256 bytes), which would trigger the warning and fail to create the /proc/net/afs/ directory. The risk of the exploit remains relatively low as it doesn't directly lead to more severe consequences like data leaks or crashes.

Applying the proposed fix will limit the cell name length to 253 bytes, aligning it with DNS lookup constraints and procfs filename length limits, and avoid issues related to creating directories under /proc/net/afs/.

Timeline

Published on: 01/19/2025 11:15:10 UTC
Last modified on: 02/02/2025 11:15:15 UTC