| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <687a44bc.a70a0220.693ce.0064.GAE@google.com>
Date: Fri, 18 Jul 2025 05:57:32 -0700
From: syzbot <syzbot+fa88eb476e42878f2844@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: Private message regarding: [syzbot] [fs?] KASAN:
use-after-free Read in hpfs_get_ea
For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.
***
Subject: Private message regarding: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea
Author: kapoorarnav43@...il.com
#syz test
From: Arnav Kapoor <kapoorarnav43@...il.com>
Date: Fri, 18 Jul 2025 12:00:00 +0000
Subject: [PATCH] hpfs: fix use-after-free in hpfs_get_ea
Fix a use-after-free vulnerability in hpfs_get_ea() where corrupted
extended attribute data could cause strcmp() to access freed memory.
The issue occurs in the EA iteration loop where next_ea() can produce
invalid pointers due to insufficient validation of ea->namelen and
the calculated next EA position. This can lead to accessing memory
that has been freed or is outside valid boundaries.
Add proper bounds checking to ensure:
1. EA namelen is reasonable (< 256)
2. EA structure doesn't exceed the EA area bounds
3. next_ea() result stays within valid EA boundaries
Reported-by: syzbot+fa88eb476e42878f2844@...kaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@...r.kernel.org
Signed-off-by: Arnav Kapoor <kapoorarnav43@...il.com>
---
fs/hpfs/ea.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/fs/hpfs/ea.c b/fs/hpfs/ea.c
index 102ba18e561f..7e6e43010fec 100644
--- a/fs/hpfs/ea.c
+++ b/fs/hpfs/ea.c
@@ -135,7 +135,31 @@ char *hpfs_get_ea(struct super_block *s, struct fnode
*fnode, char *key, int *si
secno a;
struct extended_attribute *ea;
struct extended_attribute *ea_end = fnode_end_ea(fnode);
- for (ea = fnode_ea(fnode); ea < ea_end; ea = next_ea(ea))
+ for (ea = fnode_ea(fnode); ea < ea_end; ea = next_ea(ea)) {
+ /* Validate EA structure bounds */
+ if ((char *)ea + sizeof(*ea) > (char *)ea_end) {
+ hpfs_error(s, "EA structure exceeds bounds");
+ return NULL;
+ }
+
+ /* Validate namelen to prevent overflow */
+ if (ea->namelen >= 256) {
+ hpfs_error(s, "EA namelen too large: %d", ea->namelen);
+ return NULL;
+ }
+
+ /* Ensure name field is within bounds */
+ if ((char *)ea + 5 + ea->namelen > (char *)ea_end) {
+ hpfs_error(s, "EA name field exceeds bounds");
+ return NULL;
+ }
+
+ /* Validate next_ea() result will be within bounds */
+ if (next_ea(ea) > ea_end) {
+ hpfs_error(s, "next EA exceeds bounds");
+ return NULL;
+ }
+
if (!strcmp(ea->name, key)) {
if (ea_indirect(ea))
return get_indirect_ea(s, ea_in_anode(ea), ea_sec(ea), *size =
ea_len(ea));
@@ -147,6 +171,7 @@ char *hpfs_get_ea(struct super_block *s, struct fnode
*fnode, char *key, int *si
ret[ea_valuelen(ea)] = 0;
return ret;
}
+ }
a = le32_to_cpu(fnode->ea_secno);
len = le32_to_cpu(fnode->ea_size_l);
ano = fnode_in_anode(fnode);
On Friday, 18 July 2025 at 18:10:08 UTC+5:30 syzbot wrote:
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file fs/hpfs/ea.c
patch: **** malformed patch at line 36: if (ea_indirect(ea))
Tested on:
commit: 6832a931 Merge tag 'net-6.16-rc7' of git://git.kernel...
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=f09d04131ef56b22
dashboard link: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=129db382580000
Powered by blists - more mailing lists