| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <68de4808.050a0220.25d7ab.0784.GAE@google.com>
Date: Thu, 02 Oct 2025 02:38:16 -0700
From: syzbot <syzbot+3ee481e21fd75e14c397@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: [PATCH] ext4: reject system.data xattr with external inode storage
For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.
***
Subject: [PATCH] ext4: reject system.data xattr with external inode storage
Author: kartikey406@...il.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Prevent use-after-free in ext4_search_dir by rejecting inline directory
xattr entries that claim to use external inode storage.
ext4 uses the system.data xattr to store inline directory entries
within the inode. When an inode has the EXT4_INODE_INLINE_DATA flag set,
the system.data xattr must use inline storage (e_value_inum == 0).
However, a corrupted filesystem can craft a system.data xattr entry with
e_value_inum != 0, creating an inconsistency. The existing validation in
check_xattrs() skips e_value_offs validation when e_value_inum != 0,
allowing a corrupt e_value_offs to pass through unchecked.
Later, when ext4_find_inline_entry() is called, ext4_get_inline_xattr_pos()
reads the corrupt e_value_offs and calculates an inline_start pointer that
can point outside the inode buffer, potentially into freed memory. When
ext4_search_dir() attempts to access this invalid pointer, it results in
a KASAN use-after-free.
Fix this by validating in check_xattrs() that if an inode has the inline
data flag set, the system.data xattr entry must have e_value_inum == 0.
This enforces the consistency between the inode flag and xattr storage
type, catching the corruption at validation time during inode load before
the corrupt pointer can be used.
Reported-by: syzbot+3ee481e21fd75e14c397@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
---
fs/ext4/xattr.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 8680f649ea7e..827f2b6175d0 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -195,7 +195,7 @@ check_xattrs(struct inode *inode, struct buffer_head *bh,
struct ext4_xattr_entry *e = entry;
int err = -EFSCORRUPTED;
char *err_str;
-
+ printk(KERN_WARNING "ext_check_xattrs: entered in function\n");
if (bh) {
if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) ||
BHDR(bh)->h_blocks != cpu_to_le32(1)) {
@@ -251,12 +251,18 @@ check_xattrs(struct inode *inode, struct buffer_head *bh,
err_str = "invalid ea_ino";
goto errout;
}
- if (entry->e_name_index == EXT4_XATTR_INDEX_SYSTEM &&
- entry->e_name_len == 4 &&
- !memcmp(entry->e_name,"data", 4) &&
- ea_ino != 0) {
+ if (ext4_has_inline_data(inode) && ea_ino != 0) {
err_str = "system.data xattr cannot use external inode storage";
- goto errout;
+ goto errout;
+ }
+ if (entry->e_name_index == EXT4_XATTR_INDEX_SYSTEM &&
+ entry->e_name_len == 4 &&
+ !memcmp(entry->e_name, "data", 4)) {
+ printk(KERN_ERR "Found system.data xattr: ea_ino=%lu\n", ea_ino);
+ if (ext4_has_inline_data(inode) && ea_ino != 0) {
+ err_str = "system.data xattr cannot use external inode storage";
+ goto errout;
+ }
}
if (size > EXT4_XATTR_SIZE_MAX) {
err_str = "e_value size too large";
--
2.43.0
Powered by blists - more mailing lists