lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <68829b32-7a8c-475a-9e27-f71822eb541b@huaweicloud.com>
Date: Mon, 29 Sep 2025 10:01:08 +0800
From: Zhang Yi <yi.zhang@...weicloud.com>
To: Deepanshu Kartikey <kartikey406@...il.com>
Cc: tytso@....edu, adilger.kernel@...ger.ca, linux-ext4@...r.kernel.org,
 linux-kernel@...r.kernel.org,
 syzbot+038b7bf43423e132b308@...kaller.appspotmail.com
Subject: Re: [PATCH] ext4: validate extent entries before caching in
 ext4_find_extent()

Hi, Deepanshu!

On 9/28/2025 6:09 PM, Deepanshu Kartikey wrote:
> syzbot reported a BUG_ON in ext4_es_cache_extent() triggered when
> opening a verity file on a corrupted ext4 filesystem mounted without
> a journal.
> 
> The issue occurs when the extent tree contains out-of-order extents,
> which can happen in a corrupted filesystem. ext4_find_extent() calls
> ext4_cache_extents() without validating the extent entries when the
> tree depth is 0 (leaf level). This allows corrupted extent trees with
> out-of-order extents to be cached, triggering a BUG_ON in
> ext4_es_cache_extent() due to integer underflow when calculating hole
> sizes:
> 
>   If prev = 4352 and lblk = 1280:
>   lblk - prev = 1280 - 4352 = -3072 (as signed)
>   = 4294964224 (as unsigned)
>   end = lblk + len - 1 = 4352 + 4294964224 - 1 = 1279 (after overflow)
>   BUG_ON(end < lblk) triggers because 1279 < 4352
> 
> Fix this by adding extent entry validation using the existing
> ext4_valid_extent_entries() function before caching. This ensures
> corrupted extent trees are detected and handled properly through the
> error path, preventing both the BUG_ON and potential use-after-free
> issues.
> 

Thank you for the fix patch! However, I am curious why the check in
__ext4_iget()->ext4_ext_check_inode() fails? It should check the
extents of the root node and be able to caught this corruption.

Thanks,
Yi

> Reported-and-tested-by: syzbot+038b7bf43423e132b308@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=038b7bf43423e132b308
> Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
> ---
>  fs/ext4/extents.c | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
> index ca5499e9412b..f8e45623f7ea 100644
> --- a/fs/ext4/extents.c
> +++ b/fs/ext4/extents.c
> @@ -924,8 +924,18 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
>  	path[0].p_bh = NULL;
>  
>  	i = depth;
> -	if (!(flags & EXT4_EX_NOCACHE) && depth == 0)
> +	if (!(flags & EXT4_EX_NOCACHE) && depth == 0) {
> +		ext4_fsblk_t pblk = 0;
> +
> +		if (!ext4_valid_extent_entries(inode, eh, 0, &pblk, 0)) {
> +			EXT4_ERROR_INODE(inode,
> +				"invalid extent entries, pblk %llu",
> +				pblk);
> +			ret = -EFSCORRUPTED;
> +			goto err;
> +		}
>  		ext4_cache_extents(inode, eh);
> +	}
>  	/* walk through the tree */
>  	while (i) {
>  		ext_debug(inode, "depth %d: num %d, max %d\n",

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ