| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250919144548.GE416742@mit.edu>
Date: Fri, 19 Sep 2025 10:45:48 -0400
From: "Theodore Ts'o" <tytso@....edu>
To: "Darrick J. Wong" <djwong@...nel.org>
Cc: Ahmet Eray Karadag <eraykrdg1@...il.com>, adilger.kernel@...ger.ca,
linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org,
Albin Babu Varghese <albinbabuvarghese20@...il.com>
Subject: Re: [PATCH] Fix: ext4: guard against EA inode refcount underflow in
xattr update
On Thu, Sep 18, 2025 at 11:18:01AM -0700, Darrick J. Wong wrote:
> > diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
> > index 5a6fe1513fd2..a056f98579c3 100644
> > --- a/fs/ext4/xattr.c
> > +++ b/fs/ext4/xattr.c
> > @@ -1030,6 +1030,13 @@ static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode,
> >
> > ref_count = ext4_xattr_inode_get_ref(ea_inode);
> > ref_count += ref_change;
> > + if (ref_count < 0) {
>
> Shouldn't this check ref_count >= ref_change *before* updating it?
As Ahmet pointed out, so long as we don't actually update the on-disk
data structure, it's fine. The issue I'm more concerned about is that
if ref_change is +1, we could also have an overflow where we go from
an ridiculously large positive number (~0) to 0.
Your change might fix one potential syzbot-discovered issue caused by
a maliciously fuzzed file system, but we should harden it against
similar problems going in the opposite problem.
Cheers,
- Ted
Powered by blists - more mailing lists