From: qasdev <qasdev00@gmail.com>
To: Jaegeuk Kim <jaegeuk@kernel.org>, Chao Yu <chao@kernel.org>
Cc: linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net
Subject: [f2fs-dev] [PATCH] f2fs: Fix slab-out-of-bounds Read KASAN bug in f2fs_getxattr()
Date: Tue, 7 Jan 2025 23:03:50 +0000 [thread overview]
Message-ID: <Z32y1rfBY9Qb5ZjM@qasdev.system> (raw)
In f2fs_getxattr(), the function lookup_all_xattrs() allocates a 12-byte
(base_size) buffer for an inline extended attribute. However, when
__find_inline_xattr() calls __find_xattr(), it uses the macro
"list_for_each_xattr(entry, addr)", which starts by calling
XATTR_FIRST_ENTRY(addr). This skips a 24-byte struct f2fs_xattr_header
at the beginning of the buffer, causing an immediate out-of-bounds read
in a 12-byte allocation. The subsequent !IS_XATTR_LAST_ENTRY(entry)
check then dereferences memory outside the allocated region, triggering
the slab-out-of bounds read.
This patch prevents the out-of-bounds read by adding a check to bail
out early if inline_size is too small and does not account for the
header plus the 4-byte value that IS_XATTR_LAST_ENTRY reads.
Reported-by: syzbot <syzbot+f5e74075e096e757bdbf@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=f5e74075e096e757bdbf
Tested-by: syzbot <syzbot+f5e74075e096e757bdbf@syzkaller.appspotmail.com>
Tested-by: Qasim Ijaz <qasdev00@gmail.com>
Fixes: 388a2a0640e1 ("f2fs: remove redundant sanity check in sanity_check_inode()")
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
---
fs/f2fs/xattr.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
index 3f3874943679..cf82646bca0e 100644
--- a/fs/f2fs/xattr.c
+++ b/fs/f2fs/xattr.c
@@ -329,6 +329,9 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
if (!xnid && !inline_size)
return -ENODATA;
+ if (inline_size < sizeof(struct f2fs_xattr_header) + sizeof(__u32))
+ return -ENODATA;
+
*base_size = XATTR_SIZE(inode) + XATTR_PADDING_SIZE;
txattr_addr = xattr_alloc(F2FS_I_SB(inode), *base_size, is_inline);
if (!txattr_addr)
--
2.39.5
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
WARNING: multiple messages have this Message-ID (diff)
From: qasdev <qasdev00@gmail.com>
To: Jaegeuk Kim <jaegeuk@kernel.org>, Chao Yu <chao@kernel.org>
Cc: linux-f2fs-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org
Subject: [PATCH] f2fs: Fix slab-out-of-bounds Read KASAN bug in f2fs_getxattr()
Date: Tue, 7 Jan 2025 23:03:50 +0000 [thread overview]
Message-ID: <Z32y1rfBY9Qb5ZjM@qasdev.system> (raw)
In f2fs_getxattr(), the function lookup_all_xattrs() allocates a 12-byte
(base_size) buffer for an inline extended attribute. However, when
__find_inline_xattr() calls __find_xattr(), it uses the macro
"list_for_each_xattr(entry, addr)", which starts by calling
XATTR_FIRST_ENTRY(addr). This skips a 24-byte struct f2fs_xattr_header
at the beginning of the buffer, causing an immediate out-of-bounds read
in a 12-byte allocation. The subsequent !IS_XATTR_LAST_ENTRY(entry)
check then dereferences memory outside the allocated region, triggering
the slab-out-of bounds read.
This patch prevents the out-of-bounds read by adding a check to bail
out early if inline_size is too small and does not account for the
header plus the 4-byte value that IS_XATTR_LAST_ENTRY reads.
Reported-by: syzbot <syzbot+f5e74075e096e757bdbf@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=f5e74075e096e757bdbf
Tested-by: syzbot <syzbot+f5e74075e096e757bdbf@syzkaller.appspotmail.com>
Tested-by: Qasim Ijaz <qasdev00@gmail.com>
Fixes: 388a2a0640e1 ("f2fs: remove redundant sanity check in sanity_check_inode()")
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
---
fs/f2fs/xattr.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
index 3f3874943679..cf82646bca0e 100644
--- a/fs/f2fs/xattr.c
+++ b/fs/f2fs/xattr.c
@@ -329,6 +329,9 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
if (!xnid && !inline_size)
return -ENODATA;
+ if (inline_size < sizeof(struct f2fs_xattr_header) + sizeof(__u32))
+ return -ENODATA;
+
*base_size = XATTR_SIZE(inode) + XATTR_PADDING_SIZE;
txattr_addr = xattr_alloc(F2FS_I_SB(inode), *base_size, is_inline);
if (!txattr_addr)
--
2.39.5
next reply other threads:[~2025-01-07 23:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-07 23:03 qasdev [this message]
2025-01-07 23:03 ` [PATCH] f2fs: Fix slab-out-of-bounds Read KASAN bug in f2fs_getxattr() qasdev
2025-01-08 11:44 ` [f2fs-dev] " Chao Yu via Linux-f2fs-devel
2025-01-08 11:44 ` Chao Yu
-- strict thread matches above, loose matches on Subject: below --
2025-01-08 16:23 [f2fs-dev] " qasdev
2025-01-09 9:02 ` Chao Yu via Linux-f2fs-devel
2025-01-09 11:26 qasdev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z32y1rfBY9Qb5ZjM@qasdev.system \
--to=qasdev00@gmail.com \
--cc=chao@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.