From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EBBC63537CD for ; Wed, 29 Apr 2026 02:44:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777430701; cv=none; b=KQYroAgp21NxMXWbu9JNrD67Ge3DvaOk7gN+QIVltHqia1cjgw0iUodavF9ESU9zc3d00VPHuxH5MLWxiRRKNSHWkD3nG2/paUAW7tdZpPzqgx96zo3o0CyJ85HtQY5T5bFDMLI4O7t6l9SMclvVQQqprTu3Fzeq2Px49FUfpoU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777430701; c=relaxed/simple; bh=jkjvGECmr8w0pGv1jRD1kbmd0kHxeua93c+nvXlVex0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=OFbVntELLkwlrwS+JHKu8HpwXzaS0IHtS1LaxNGGSKWlR4+ogObYz/xXVxhpU4Qb5cI9xmXwu5himk7ON48D7PYE+N6REdWnrbBbKoQagWfFOsrSwcJerSzt4R0FRrvuCSxiAjh222VDxX2hvueCmh1wxUAUL7rDRXCqqpnmICY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=R+aIPuIB; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="R+aIPuIB" Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2b461310af5so1893365ad.1 for ; Tue, 28 Apr 2026 19:44:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777430699; x=1778035499; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=XBG3Ln9sZf7gK1z4kykeX5M87aCaIiJ6hjyidiUZXBo=; b=R+aIPuIB/dqPvkeDv1d73wkHxsoQRLZ1LezeUcMEHZyBAEuJhTFAiYEduQVUsnjnhx Rp+X4QPQri+WaIhfFs+HE0ttfQEJ8iZyf62qJtcDft/+q1GiIMv0CHoDpG+C+XxsHu92 fG6LhUIq+TZ3zhGBEapBn+5iLpkQh3Sga/OSmnO3g7Y5DETmucqeH0I61i4Gm5slWaWx JNkLYm+65thvPba1O6zh+m3m0Q36tqW1S+XWxQ3DtTsi/VmnBfuXwN1v3IGIuu+QPRzD rQxr2eNkw0bzSRY+C15is18y7y9L8t5mLkIUhEsPmPSkrIGCYHGBC57ShNkPk9L7vY6r 1sSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777430699; x=1778035499; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=XBG3Ln9sZf7gK1z4kykeX5M87aCaIiJ6hjyidiUZXBo=; b=q3SPj/swsyicbXBkx1ZQq65Bz5oFYum7aNMrochz4HPLLC6D2H5Nlopf8EK1s1saC7 CWjJHuRdd3ftaU1yFjH3tlXQr68zG5fPVL42uXy3jvgR8ACCPO329neT+22DT8Eu6Sn0 0yuIESSp0JMGiUEi15+5j7w52gj+ocmTwcoaoue7K4eP6JbSMPBrMHeqNRhDTm6A1Bnu uKiDYkVM1/23MLQtf9iSnORAXqWhe0b7QUjaAMjaBfq+I7Px6XRvh4rbEx4Z55HAYwJ4 eedgI57q9oxQ9xkXpSVYrd2LslSOXIwlrdb++g81rUSH/RSboWVbpEgt1jRKLrEgmvAO N6Pg== X-Forwarded-Encrypted: i=1; AFNElJ+YdQVOgHXlIOjJPSFU7bW6QSLduwV5DkVeco9QflmJpDt8Iutkt/eG98WjKcRnbvulUybjDureD/7W1IU=@vger.kernel.org X-Gm-Message-State: AOJu0Yz6+InShzr/aTDx5lHLZ8z4kT6zBwpglOU0Xi9m6a88VrdA4NeT s8TlD4IyBZEaaNJCGShNiYBDzKJW7mhWmZ+7OJ0iHXZADzqPqYFL2YmR X-Gm-Gg: AeBDiestjgH3kDYdgraI3Fz728AJgFGdVFopVSbqkRdJbRC0am3943WS4iS1nXbLtpC rmdi6+0H2N6H1QqklxvV5lR57nxXrMdL6W9h3mnK3LXMV+XipLcndFJB50jnN9f6qpa6iP9fr2f evmYuNBR/BBOW2fWMDaAL+PN4rNt7dGlRI0SRP0qAa/JMaLm2hR4IIkF3w9WTVeEMT5JSxMiPBe fHT+XgMV/R6tS7VEkF2hD5bhLo9lMeJcQov1vnUbgERzykbcG5327AaQ5gEqDRvat7fQfQCqyDk XHnqjKTCdwfn/MnS6la0VPkSp88ZVWLgp0TeqTre4BHEutC5h2xpznp6IUSUiBR8RIA0AkU6kxI 5HG4NMeGf4keLhwRVaM/oxFePEwAmZASYaQHU3NI/+P6Hk/toOq6V66x7KUV/uAzR+27u4d5oCA v1m2W36FdTTFrt6pAWkm3Nx+jfskrolF7A18h1223cvFhLg/oT6DLZ7Vhg3RxZEAYd2CRCYGW06 wBRh9Ak0g== X-Received: by 2002:a17:903:1988:b0:2ae:5ab4:f4c0 with SMTP id d9443c01a7336-2b988433716mr10313805ad.13.1777430699262; Tue, 28 Apr 2026 19:44:59 -0700 (PDT) Received: from kernel-fuzz.. ([103.172.182.26]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b988772cabsm5895555ad.13.2026.04.28.19.44.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Apr 2026 19:44:58 -0700 (PDT) From: ZhengYuan Huang To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com Cc: ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, r33s3n6@gmail.com, zzzccc427@gmail.com, ZhengYuan Huang Subject: [PATCH] ocfs2: validate inline xattr header before listxattr walks it Date: Wed, 29 Apr 2026 10:44:34 +0800 Message-ID: <20260429024434.1472685-1-gality369@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit [BUG] listxattr() can walk off the end of a dinode block when the inode-body xattr header is corrupted: BUG: KASAN: use-after-free in ocfs2_xattr_list_entry+0x1bd/0x370 fs/ocfs2/xattr.c:918 Read of size 13 at addr ffff88800ab5c0c0 by task syz.0.1231/3756 Call Trace: ... ocfs2_xattr_list_entry+0x1bd/0x370 fs/ocfs2/xattr.c:918 ocfs2_xattr_list_entries+0x1e1/0x320 fs/ocfs2/xattr.c:938 ocfs2_xattr_ibody_list fs/ocfs2/xattr.c:982 [inline] ocfs2_listxattr+0x4fb/0x980 fs/ocfs2/xattr.c:1044 vfs_listxattr+0xb4/0x120 fs/xattr.c:493 listxattr+0x76/0x170 fs/xattr.c:924 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x137/0x320 fs/xattr.c:988 __do_sys_listxattr fs/xattr.c:1001 [inline] ... [CAUSE] ocfs2_xattr_ibody_list() computes the inline xattr header from di->i_xattr_inline_size and passes it straight to ocfs2_xattr_list_entries(). If corruption inflates xh_count, the list walk steps past the inline xattr area and eventually past the end of the 4K dinode block. The xe_type load in ocfs2_xattr_get_type() then reads poisoned memory. [FIX] Validate di->i_xattr_inline_size before locating the header, then bound xh_count by the number of ocfs2_xattr_entry records that fit inside the claimed inline area. Reject corrupted metadata with ocfs2_error() and -EFSCORRUPTED instead of iterating past the dinode block. Signed-off-by: ZhengYuan Huang --- fs/ocfs2/xattr.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ static int ocfs2_xattr_ibody_list(struct inode *inode, struct ocfs2_dinode *di, char *buffer, size_t buffer_size) { struct ocfs2_xattr_header *header = NULL; struct ocfs2_inode_info *oi = OCFS2_I(inode); int ret = 0; + u16 xattr_count; + size_t max_entries; + u16 inline_size; if (!(oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) return ret; + inline_size = le16_to_cpu(di->i_xattr_inline_size); + + if (inline_size > inode->i_sb->s_blocksize || + inline_size < sizeof(struct ocfs2_xattr_header)) { + ocfs2_error(inode->i_sb, + "Invalid xattr inline size %u in inode %llu\n", + inline_size, + (unsigned long long)OCFS2_I(inode)->ip_blkno); + return -EFSCORRUPTED; + } + header = (struct ocfs2_xattr_header *) ((void *)di + inode->i_sb->s_blocksize - - le16_to_cpu(di->i_xattr_inline_size)); + inline_size); + + xattr_count = le16_to_cpu(header->xh_count); + max_entries = (inline_size - sizeof(struct ocfs2_xattr_header)) / + sizeof(struct ocfs2_xattr_entry); + if (xattr_count > max_entries) { + ocfs2_error(inode->i_sb, + "Invalid xattr entry count %u (max %zu) in inode %llu\n", + xattr_count, max_entries, + (unsigned long long)OCFS2_I(inode)->ip_blkno); + return -EFSCORRUPTED; + } ret = ocfs2_xattr_list_entries(inode, header, buffer, buffer_size); return ret; } -- 2.43.0