lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <v5k5n2txkjo2hngffk44aa3noqdwt2mnpy6fueoc24jhng55y3@ms44337i4j3q>
Date: Sun, 14 Dec 2025 21:56:00 +0800
From: Heming Zhao <heming.zhao@...e.com>
To: Mark Fasheh <mark@...heh.com>, 
	Swaraj Gaikwad <swarajgaikwad1925@...il.com>, joseph.qi@...ux.alibaba.com, dmantipov@...dex.ru
Cc: Joel Becker <jlbec@...lplan.org>, Kees Cook <kees@...nel.org>, 
	"Gustavo A. R. Silva" <gustavoars@...nel.org>, 
	"open list:ORACLE CLUSTER FILESYSTEM 2 (OCFS2)" <ocfs2-devel@...ts.linux.dev>, open list <linux-kernel@...r.kernel.org>, 
	"open list:KERNEL HARDENING (not covered by other areas):Keyword:b__counted_by(_le|_be)?b" <linux-hardening@...r.kernel.org>, skhan@...uxfoundation.org, david.hunter.linux@...il.com, 
	syzbot+cf96bc82a588a27346a8@...kaller.appspotmail.com
Subject: Re: [PATCH] ocfs2: fix xattr array out-of-bounds in
 ocfs2_xa_remove_entry()

On Fri, Dec 12, 2025 at 03:18:06PM -0800, Mark Fasheh wrote:
> On Fri, Dec 12, 2025 at 5:36 AM Swaraj Gaikwad
> <swarajgaikwad1925@...il.com> wrote:
> >
> > Syzkaller reported an out-of-bounds access in ocfs2_xa_remove_entry(),
> > triggered when removing an xattr entry.
> >
> > The root cause is that the original code decrements xh_count in-place using
> > le16_add_cpu() before reading the updated count value into a local variable.
> > However, due to the way the entry removal logic interacts with the array bounds
> > checking (enforced by __counted_by(xh_count)), the stale count during subsequent
> > operations leads to the out-of-bounds access during the removal process.
> > This patch fixes the issue by reading the current count first, computing the
> > decremented value locally, and then explicitly writing the updated count back to
> > xh_count at the end of the function. This ensures the array bounds are correctly
> > reflected throughout the entry removal without relying on in-place modification
> > timing.
> >
> > The fix has been tested by reproducing the syzkaller crash report, which no longer
> > triggers after applying the patch.
> >
> > Reported-by: syzbot+cf96bc82a588a27346a8@...kaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com./bug?extid=cf96bc82a588a27346a8
> > Signed-off-by: Swaraj Gaikwad <swarajgaikwad1925@...il.com>
> 
> Reviewed-by: Mark Fasheh <mark@...heh.com>
> 

Hi Swaraj and Mark

Dmitry Antipov has sent a patch to fix this issue, and the patch status has
been reviewed.

ref: https://lore.kernel.org/ocfs2-devel/5561c14a-9aaa-43b7-95f9-8428a2364f09@linux.alibaba.com/T/#u

Thanks,
Heming

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ