From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BF94830C60F; Thu, 2 Jul 2026 17:00:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783011615; cv=none; b=mFvM139wnrlGPI9bERbjpUhmdwLsrcz0dtybWd73rZFQLc9UU1xbAbgaPiSRhojH0VBnvxOHWG12xAiKNHdaKSnf4cIiMMYsQa5nEEapGfHSCOpw6xWyb6Ypv22xR/F1MOlz7Gs/aBDG1gfT1R2E+jtXNQDskDS0IBFbeu+jzyo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783011615; c=relaxed/simple; bh=vm0qgJ+hQYzPZ56fTC/CUvjS6Zf1crQa2/aHWA//GWE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iNRIF2e/BYB5NRGAAWTMaeRoEybtyu4P/NlHuj6oWqHp3MeF5AN2Iy5Pqf582Vf5e7dVDTe4jfuYWKTPcOf4zUmCXQIGw5nnz/0OLkr/k8VPfOLv8WuxDTMYBp1FUoCtWVShD418FC/6lcv1dS+N1Nq6mIOzQ9B9klpb0QlwgLk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=PcTX8N+7; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="PcTX8N+7" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 30DAD1F00A3D; Thu, 2 Jul 2026 17:00:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1783011614; bh=Q2zYYweBl//9gteHaK6c3eqGn9HtAHe/gLUrJ6ow8KY=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=PcTX8N+76rSKEis7VyIiTTC31Bp1sexCQIlSBR84fs9Yoac1NYEfm8UQNQi0LYQ61 namzV/QfmHEs+CBTNnyiqYvAtV3Jb9flNS6qGjzg4qGpJz5EWKNXyTyrr9asq7Dhum XR9ec4mOCZqpjD/G2B6CtXn/MlScFkJbzeJ0mqJo= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Bryam Vargas , Chao Yu , Jaegeuk Kim Subject: [PATCH 7.1 067/120] f2fs: bound i_inline_xattr_size for non-inline-xattr inodes Date: Thu, 2 Jul 2026 18:21:03 +0200 Message-ID: <20260702155114.346209297@linuxfoundation.org> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260702155112.964534952@linuxfoundation.org> References: <20260702155112.964534952@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 7.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Bryam Vargas commit 378acf3cf19b6af6cba55e8dd1154c4e1504bae8 upstream. When the flexible_inline_xattr feature is enabled, do_read_inode() loads the on-disk i_inline_xattr_size unconditionally: if (f2fs_sb_has_flexible_inline_xattr(sbi)) fi->i_inline_xattr_size = le16_to_cpu(ri->i_inline_xattr_size); but sanity_check_inode() only range-checks it when the inode also has the FI_INLINE_XATTR flag set. An inode that carries an inline dentry or inline data but not FI_INLINE_XATTR -- the normal layout for an inline directory -- therefore keeps a fully attacker-controlled i_inline_xattr_size from a crafted image. get_inline_xattr_addrs() returns that value with no flag gating, so it feeds the inode geometry: MAX_INLINE_DATA() = 4 * (CUR_ADDRS_PER_INODE - i_inline_xattr_size - 1) NR_INLINE_DENTRY() = MAX_INLINE_DATA() * BITS_PER_BYTE / (...) addrs_per_page() = CUR_ADDRS_PER_INODE - i_inline_xattr_size A large i_inline_xattr_size drives MAX_INLINE_DATA() and NR_INLINE_DENTRY() negative, so make_dentry_ptr_inline() sets d->max (int) to a negative value. The inline directory walk then compares an unsigned long bit_pos against that negative d->max, which is promoted to a huge unsigned bound, and reads far past the inline area: while (bit_pos < d->max) /* fs/f2fs/dir.c */ ... test_bit_le(bit_pos, d->bitmap) / d->dentry[bit_pos] ... Mounting a crafted image and reading such a directory triggers an out-of-bounds read in f2fs_fill_dentries(); the same underflow also corrupts ADDRS_PER_INODE for regular files. Validate i_inline_xattr_size against MAX_INLINE_XATTR_SIZE whenever the flexible_inline_xattr feature is enabled -- i.e. whenever the value is loaded from disk and consumed -- and keep the lower MIN_INLINE_XATTR_SIZE bound gated on inodes that actually carry an inline xattr, so legitimate inodes with i_inline_xattr_size == 0 are still accepted. Cc: stable@vger.kernel.org Fixes: 6afc662e68b5 ("f2fs: support flexible inline xattr size") Signed-off-by: Bryam Vargas Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman --- fs/f2fs/inode.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/fs/f2fs/inode.c +++ b/fs/f2fs/inode.c @@ -324,9 +324,9 @@ static bool sanity_check_inode(struct in } if (f2fs_sb_has_flexible_inline_xattr(sbi) && - f2fs_has_inline_xattr(inode) && - (fi->i_inline_xattr_size < MIN_INLINE_XATTR_SIZE || - fi->i_inline_xattr_size > MAX_INLINE_XATTR_SIZE)) { + (fi->i_inline_xattr_size > MAX_INLINE_XATTR_SIZE || + (f2fs_has_inline_xattr(inode) && + fi->i_inline_xattr_size < MIN_INLINE_XATTR_SIZE))) { f2fs_warn(sbi, "%s: inode (ino=%llx) has corrupted i_inline_xattr_size: %d, min: %zu, max: %lu", __func__, inode->i_ino, fi->i_inline_xattr_size, MIN_INLINE_XATTR_SIZE, MAX_INLINE_XATTR_SIZE);