lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <68d8e78f.050a0220.25d7ab.04c8.GAE@google.com>
Date: Sun, 28 Sep 2025 00:45:19 -0700
From: syzbot <syzbot+038b7bf43423e132b308@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: [PATCH] ext4: Fix extent boundary validation in extent tree

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: [PATCH] ext4: Fix extent boundary validation in extent tree
Author: kartikey406@...il.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


This patch addresses a vulnerability in EXT4 extent tree validation
where logically impossible extent entries could be created. The fix
prevents extent entries with an end block less than the start block.

Key changes:
- Add boundary checks to validate extent entries
- Prevent creation of extents with invalid block ranges
- Improve extent tree integrity checks

The bug was discovered via syzkaller, which generated a test case
exposing this boundary condition vulnerability during filesystem
metadata parsing.

Fixes: https://syzkaller.appspot.com/bug?extid=038b7bf43423e132b308
Reported-by: syzkaller <syzkaller@...glegroups.com>
Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
---
 fs/ext4/extents.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index ca5499e9412b..987a07a8554e 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -418,6 +418,10 @@ static int ext4_valid_extent_entries(struct inode *inode,
 
 			/* Check for overlapping extents */
 			lblock = le32_to_cpu(ext->ee_block);
+			ext4_lblk_t len = ext4_ext_get_actual_len(ext);
+			ext4_lblk_t end = lblock + len - 1;
+			if (end < lblock)
+				return 0;
 			if (lblock < cur) {
 				*pblk = ext4_ext_pblock(ext);
 				return 0;
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ