lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aRHSrpFone-SSkZa@quatroqueijos.cascardo.eti.br>
Date: Mon, 10 Nov 2025 08:55:26 -0300
From: Thadeu Lima de Souza Cascardo <cascardo@...lia.com>
To: Raphael Pinsonneault-Thibeault <rpthibeault@...il.com>
Cc: tytso@....edu, adilger.kernel@...ger.ca, linux-ext4@...r.kernel.org,
	linux-kernel@...r.kernel.org, linux-kernel-mentees@...ts.linux.dev,
	skhan@...uxfoundation.org,
	syzbot+3ee481e21fd75e14c397@...kaller.appspotmail.com
Subject: Re: [PATCH] ext4: validate xattrs to avoid OOB in
 ext4_find_inline_entry

On Sat, Nov 08, 2025 at 03:25:46PM -0500, Raphael Pinsonneault-Thibeault wrote:
> When looking for an entry in an inlined directory, if e_value_offs is
> changed underneath the filesystem by some change in the block device, it
> will lead to an out-of-bounds access that KASAN detects as a
> use-after-free.
> 
> This is a similar problem as fixed by
> commit c6b72f5d82b1 ("ext4: avoid OOB when system.data xattr changes underneath the filesystem")
> whose fix was to call ext4_xattr_ibody_find() right after reading the
> inode with ext4_get_inode_loc() to check the validity of the xattrs.
> 
> However, ext4_xattr_ibody_find() only checks xattr names, via
> xattr_find_entry(), not e_value_offs.
> 
> Fix by calling xattr_check_inode() which performs a full check on the
> xattrs in inode.
> 
> Reported-by: syzbot+3ee481e21fd75e14c397@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
> Tested-by: syzbot+3ee481e21fd75e14c397@...kaller.appspotmail.com
> Fixes: c6b72f5d82b10 ("ext4: avoid OOB when system.data xattr changes underneath the filesystem")
> Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@...il.com>
> ---
>  fs/ext4/inline.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
> index 1b094a4f3866..7d46e1e16b52 100644
> --- a/fs/ext4/inline.c
> +++ b/fs/ext4/inline.c
> @@ -1593,6 +1593,13 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,
>  
>  	down_read(&EXT4_I(dir)->xattr_sem);
>  
> +	if (EXT4_INODE_HAS_XATTR_SPACE(dir)) {
> +		ret = xattr_check_inode(dir, IHDR(dir, ext4_raw_inode(&is.iloc)),
> +					ITAIL(dir, ext4_raw_inode(&is.iloc)));
> +		if (ret)
> +			goto out;
> +	}
> +

ext4_xattr_ibody_find used to call xattr_check_inode until commit
5701875f9609 ("ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()").

So every other place where ext4_xattr_ibody_find was protecting against such
block device changes is not working since.

At least, the Fixes: line should change to point out to that commit, but I
wonder if the inode checking should be put back there. I haven't investigated if
that would regress the bug it fixes, though.

Cascardo.

>  	ret = ext4_xattr_ibody_find(dir, &i, &is);
>  	if (ret)
>  		goto out;
> -- 
> 2.43.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ