lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CA+HokZqTi7=ossgk7gKqJY_pViaso=Hy0-iRj8v3H5A35Bxhqw@mail.gmail.com>
Date: Mon, 3 Mar 2025 17:24:06 +0800
From: Strforexc yn <strforexc@...il.com>
To: "Theodore Ts'o" <tytso@....edu>, Andreas Dilger <adilger.kernel@...ger.ca>, linux-ext4@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: [BUG] Kernel BUG in ext4_write_inline_data (Ext4) on 6.14.0-rc4 -
 Possible Regression**

Dear Linux Kernel Developers,
I’ve encountered a kernel BUG in the Ext4 filesystem on Linux
6.14.0-rc4 during an inline data write, which may indicate a
regression from prior fixes. Here are the details:

Kernel commit: v6.14-rc4 (Commits on Feb 24, 2025)
Kernel Config : https://github.com/Strforexc/LinuxKernelbug/blob/main/.config
Kernel Log: https://github.com/Strforexc/LinuxKernelbug/blob/main/bug_ext4_write_inline_data/log0
Reproduce.c: https://github.com/Strforexc/LinuxKernelbug/blob/main/bug_ext4_write_inline_data/repro.cprog

A kernel BUG is triggered at fs/ext4/inline.c:235 in
ext4_write_inline_data, causing an invalid opcode exception. This
occurs during a sendfile64 operation writing inline data, likely due
to an assertion failure (BUG_ON).

Location: The BUG occurs at a BUG_ON in ext4_write_inline_data, likely
BUG_ON(pos + len > EXT4_I(inode)->i_inline_size) (line 231), with
pos=96 and len=97 (total 193 bytes).

Cause: The write exceeds the inode’s inline size , triggering the
assertion. Higher-level calls  fail to validate the size, allowing an
oversized request.
Context: Syzkaller’s sendfile64 crafted a write to an inline Ext4
inode, exposing this issue.
Regression: Ext4 inline data handling has had prior fixes . This BUG
suggests a regression where size validation was weakened, allowing
invalid writes to reach the assertion.

Impact: The BUG causes a kernel panic (DoS). While not directly
exploitable beyond that, it indicates a validation gap.
Request: Could Ext4 maintainers investigate? This appears to be a
regression from prior inline data fixes. Suggested  Add size
validation in ext4_da_write_end or ext4_file_write_iter before calling
ext4_write_inline_data.

Our knowledge of the kernel is somewhat limited, and we'd appreciate
it if you could determine if there is such an issue. If this issue
doesn't have an impact, please ignore it ☺.

If you fix this issue, please add the following tag to the commit:
Reported-by: Zhizhuo Tang strforexctzzchange@...mail.com, Jianzhou
Zhao xnxc22xnxc22@...com, Haoran Liu <cherest_san@....com>
===========================================================================
------------[ cut here ]------------
kernel BUG at fs/ext4/inline.c:235!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 12157 Comm: syz.0.58 Not tainted 6.14.0-rc4 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:ext4_write_inline_data+0x346/0x3e0 fs/ext4/inline.c:235
Code: d0 f6 4b ff e8 cb f6 4b ff 42 8d 6c 25 c4 41 bd 3c 00 00 00 45
29 e5 e9 e8 fe ff ff e8 b3 f6 4b ff 90 0f 0b e8 ab f6 4b ff 90 <0f> 0b
e8 63 95 ac ff e9 fb fd ff ff 4c 89 f7 e8 56 95 ac ff e9 96
RSP: 0018:ffffc900043e7628 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888012c251f0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000060
R13: 0000000000000061 R14: ffff888012c2579a R15: ffffc900043e76c0
FS:  00007f2c042b2640(0000) GS:ffff88807ee00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc99327fc00 CR3: 000000006a448000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ext4_write_inline_data_end+0x25f/0xc20 fs/ext4/inline.c:774
 ext4_da_write_end+0x201/0x2d0 fs/ext4/inode.c:3080
 generic_perform_write+0x51c/0x910 mm/filemap.c:4204
 ext4_buffered_write_iter+0x11a/0x440 fs/ext4/file.c:299
 ext4_file_write_iter+0x350/0x420 fs/ext4/file.c:717
 iter_file_splice_write+0xa0a/0x1080 fs/splice.c:743
 do_splice_from fs/splice.c:941 [inline]
 direct_splice_actor+0x194/0x6f0 fs/splice.c:1164
 splice_direct_to_actor+0x343/0x9c0 fs/splice.c:1108
 do_splice_direct_actor fs/splice.c:1207 [inline]
 do_splice_direct+0x176/0x250 fs/splice.c:1233
 do_sendfile+0xa79/0xd90 fs/read_write.c:1363
 __do_sys_sendfile64 fs/read_write.c:1424 [inline]
 __se_sys_sendfile64 fs/read_write.c:1410 [inline]
 __x64_sys_sendfile64+0x1de/0x220 fs/read_write.c:1410
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcb/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2c033b85ad
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2c042b1f98 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f2c03646080 RCX: 00007f2c033b85ad
RDX: 0000000000000000 RSI: 0000000000000007 RDI: 0000000000000006
RBP: 00007f2c0346a8d6 R08: 0000000000000000 R09: 0000000000000000
R10: 000080001d00c0d0 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f2c03646080 R15: 00007f2c04292000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_write_inline_data+0x346/0x3e0 fs/ext4/inline.c:235
Code: d0 f6 4b ff e8 cb f6 4b ff 42 8d 6c 25 c4 41 bd 3c 00 00 00 45
29 e5 e9 e8 fe ff ff e8 b3 f6 4b ff 90 0f 0b e8 ab f6 4b ff 90 <0f> 0b
e8 63 95 ac ff e9 fb fd ff ff 4c 89 f7 e8 56 95 ac ff e9 96
RSP: 0018:ffffc900043e7628 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888012c251f0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000060
R13: 0000000000000061 R14: ffff888012c2579a R15: ffffc900043e76c0
FS:  00007f2c042b2640(0000) GS:ffff88802b600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2680f65e70 CR3: 000000006a448000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
==================================================================
Regards,
Strforexc

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ