lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <69664328.050a0220.2e06c6.000d.GAE@google.com>
Date: Tue, 13 Jan 2026 05:05:44 -0800
From: syzbot <syzbot+6986a30df88382d1f7bf@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: [PATCH] ext4: hold buffer reference in ext4_read_inline_dir
 to prevent UAF

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: [PATCH] ext4: hold buffer reference in ext4_read_inline_dir to prevent UAF
Author: kartikey406@...il.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Hold an additional buffer reference during ext4_read_inline_data() to
prevent use-after-free. The iloc buffer_head could be freed by another
thread while ext4_read_inline_data() is accessing it, leading to a
use-after-free read.

The fix ensures the buffer remains valid during the critical section:
- get_bh() before calling ext4_read_inline_data() increments refcount
- Even if another thread calls brelse(), refcount stays above zero
- Buffer cannot be freed while we hold the reference
- brelse() after ext4_read_inline_data() decrements refcount safely

Reported-by: syzbot+6986a30df88382d1f7bf@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6986a30df88382d1f7bf
Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
---
 fs/ext4/inline.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 1f6bc05593df..b7dcbef4d5aa 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1395,14 +1395,25 @@ int ext4_read_inline_dir(struct file *file,
 	}
 
 	inline_size = ext4_get_inline_size(inode);
+
+	/*
+	 * Hold an additional reference to the iloc buffer to prevent
+	 * use-after-free. The buffer could be freed by another thread
+	 * during ext4_read_inline_data() if we don't hold a reference.
+	 */
+	get_bh(iloc.bh);
+
 	dir_buf = kmalloc(inline_size, GFP_NOFS);
 	if (!dir_buf) {
 		ret = -ENOMEM;
+		brelse(iloc.bh);
 		up_read(&EXT4_I(inode)->xattr_sem);
 		goto out;
 	}
 
 	ret = ext4_read_inline_data(inode, dir_buf, inline_size, &iloc);
+	brelse(iloc.bh);
+
 	up_read(&EXT4_I(inode)->xattr_sem);
 	if (ret < 0)
 		goto out;
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ