| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <yiza5dit6fgkeoshpqptaqyuohxup7n2jtmdasodblp6voi7qa@66pgsjaykg73>
Date: Mon, 17 Nov 2025 16:13:02 +0800
From: Heming Zhao <heming.zhao@...e.com>
To: Deepanshu Kartikey <kartikey406@...il.com>
Cc: mark@...heh.com, jlbec@...lplan.org, joseph.qi@...ux.alibaba.com,
ocfs2-devel@...ts.linux.dev, linux-kernel@...r.kernel.org,
syzbot+ab0ad25088673470d2d9@...kaller.appspotmail.com
Subject: Re: [PATCH v2] ocfs2: validate xattr entry count in
ocfs2_xattr_list_entries
On Mon, Nov 17, 2025 at 12:02:17PM +0530, Deepanshu Kartikey wrote:
> Add validation of xattr entry count before accessing entries to prevent
> out-of-bounds array access and use-after-free bugs. A corrupted
> filesystem with an invalid xh_count value can cause the loop to access
> memory beyond the allocated block, potentially reaching freed memory
> pages.
>
> The validation calculates the maximum number of entries that can fit in
> the available space and rejects counts that exceed this limit. This
> prevents the subsequent loop from accessing invalid memory addresses.
>
> Without this check, the code directly uses xh_count from disk in array
> indexing operations like &header->xh_entries[i], which can point outside
> the block when xh_count is corrupted, triggering KASAN use-after-free
> detection.
>
> Reported-by: syzbot+ab0ad25088673470d2d9@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9
> Tested-by: syzbot+ab0ad25088673470d2d9@...kaller.appspotmail.com
> Suggested-by: Heming Zhao <heming.zhao@...e.com>
> Link: https://lore.kernel.org/all/20251111073831.2027072-1-kartikey406@gmail.com/ [v1]
> Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
> ---
> Changes in v2:
> - Changed return value from -EUCLEAN to -EFSCORRUPTED for consistency
> with existing xattr error handling (suggested by Heming Zhao)
>
> fs/ocfs2/xattr.c | 17 ++++++++++++++++-
> 1 file changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
> index d70a20d29e3e..f7341e3d8a6c 100644
> --- a/fs/ocfs2/xattr.c
> +++ b/fs/ocfs2/xattr.c
> @@ -928,8 +928,23 @@ static int ocfs2_xattr_list_entries(struct inode *inode,
> size_t result = 0;
> int i, type, ret;
> const char *name;
> + u16 count;
> + size_t max_entries;
> + struct super_block *sb = inode->i_sb;
> +
> + count = le16_to_cpu(header->xh_count);
> + max_entries = (sb->s_blocksize - sizeof(struct ocfs2_xattr_header)) /
> + sizeof(struct ocfs2_xattr_entry);
>
> - for (i = 0 ; i < le16_to_cpu(header->xh_count); i++) {
> + if (count > max_entries) {
> + ocfs2_error(sb,
> + "xattr entry count %u exceeds maximum %zu in inode %llu\n",
> + count, max_entries,
> + (unsigned long long)OCFS2_I(inode)->ip_blkno);
> + return -EFSCORRUPTED;
The errno (-EFSCORRUPTED) looks good to me.
Sorry for my carelessness in reviewing the v1 patch.
It seems the patch code only handles the xattr inline mode. For the xattr
extra block mode, the calacating above for the max_entries is wrong.
Btw, even for inline mode, the codes are also need to be revised. Please
check the 'header' value in the caller ocfs2_xattr_ibody_list().
For this syzbot bug, you can put the sanity check code in ocfs2_xattr_ibody_list().
For the extra xattr block mode, ocfs2_validate_xattr_block() seems like a good
place to put the fix.
For the minimal code change to satisfy syzbot, we can just put the santity check
in ocfs2_xattr_ibody_list().
Thanks,
Heming
> + }
> +
> + for (i = 0; i < count; i++) {
> struct ocfs2_xattr_entry *entry = &header->xh_entries[i];
> type = ocfs2_xattr_get_type(entry);
> name = (const char *)header +
> --
> 2.43.0
>
Powered by blists - more mailing lists