lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250923120954.GA531144@mit.edu>
Date: Tue, 23 Sep 2025 08:09:54 -0400
From: "Theodore Ts'o" <tytso@....edu>
To: Deepanshu Kartikey <kartikey406@...il.com>
Cc: adilger.kernel@...ger.ca, linux-ext4@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        syzbot+4c9d23743a2409b80293@...kaller.appspotmail.com
Subject: Re: [PATCH] ext4: validate xattr entries in ext4_xattr_move_to_block

On Tue, Sep 23, 2025 at 02:55:12PM +0530, Deepanshu Kartikey wrote:
> During inode expansion, ext4_xattr_move_to_block() processes xattr entries
> from on-disk structures without validating their integrity. Corrupted
> filesystems may contain xattr entries where e_value_size is zero but
> e_value_inum is non-zero, indicating the entry claims to store its value
> in a separate inode but has no actual value.
> 
> This corruption pattern leads to a WARNING in ext4_xattr_block_set() when
> it encounters i->value_len of zero while i->in_inode is set, violating
> the function's invariant that in-inode xattrs must have non-zero length.
> 
> Add validation in ext4_xattr_move_to_block() to detect this specific
> corruption pattern and return -EFSCORRUPTED, preventing the invalid
> data from propagating to downstream functions and causing warnings.
> 
> Reported-by: syzbot+4c9d23743a2409b80293@...kaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?extid=4c9d23743a2409b80293
> Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>

Thanks for the patch!  Could you try moving the validation test to the
check_xattrs() function?  This should hopefully catch other
maliciously fuzzed file systems so it might address other syzbot
complaints.

Something like:

		if (ea_ino && !size) {
			err_str = "invalid size in ea xattr";
			goto errout;
		}

In retrospect, we probably should have had the code interpret
e_value_size==0 as meaning that the xattr entry is always unused, so
that tests such as:

		if (!last->e_value_inum && last->e_value_size) {

could become

		if (last->e_value_size) {

But there are also places where the code assumes that if e_value_inum
is non-zero, it doesn't need to test e_value_size.

It should be the case where whenever we clear e_value_inum, we also
set i_value_size to zero.  So having e_value_num!=0 && e_value_size==0
should only be the case when someone is trying to maliciously play
games with us.

Cheers,

						- Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ