lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <68dbf53f.a00a0220.102ee.004a.GAE@google.com>
Date: Tue, 30 Sep 2025 08:20:31 -0700
From: syzbot <syzbot+9db318d6167044609878@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: [PATCH] ext4: fix use-after-free in ext4_ext_insert_extent()

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: [PATCH] ext4: fix use-after-free in ext4_ext_insert_extent()
Author: kartikey406@...il.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

syzbot reported a use-after-free bug in ext4_ext_insert_extent() where
fex->ee_block is accessed after the extent header has been freed. This
occurs when the extent header is corrupted or freed by a concurrent
thread during a write operation.

The issue is triggered when multiple threads perform concurrent writes
to the same file. After commit 665575cff098 ("filemap: move prefaulting
out of hot write path"), the write path no longer prefaults pages,
creating a race window where:

1. Thread A enters ext4_ext_insert_extent() and gets extent header pointer
2. Thread B modifies the extent tree, potentially freeing the header
3. Thread A dereferences fex->ee_block from the freed header, causing UAF

Fix this by validating the extent header's magic number and ensuring it
has valid entries before dereferencing the last extent pointer.

Reported-by: syzbot+9db318d6167044609878@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9db318d6167044609878
Fixes: 665575cff098 ("filemap: move prefaulting out of hot write path")
Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
---
 fs/ext4/extents.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index ca5499e9412b..d71b0fff41cc 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -2083,6 +2083,12 @@ ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
 	/* probably next leaf has space for us? */
 	fex = EXT_LAST_EXTENT(eh);
 	next = EXT_MAX_BLOCKS;
+	if (le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC ||
+	   le16_to_cpu(eh->eh_entries) == 0) {
+		EXT4_ERROR_INODE(inode, "corrupted extent header");
+		 err = -EFSCORRUPTED;
+		goto errout;
+	}
 	if (le32_to_cpu(newext->ee_block) > le32_to_cpu(fex->ee_block))
 		next = ext4_ext_next_leaf_block(path);
 	if (next != EXT_MAX_BLOCKS) {
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ