Forwarded: Private message regarding: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea

[syzbot <syzbot+fa88eb476e42878f2844@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Private message regarding: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea
Author: kapoorarnav43@gmail.com

#syz test 

From: Arnav Kapoor <kapoorarnav43@gmail.com>
Date: Fri, 18 Jul 2025 12:00:00 +0000
Subject: [PATCH] hpfs: fix use-after-free in hpfs_get_ea

Fix a use-after-free vulnerability in hpfs_get_ea() where corrupted
extended attribute data could cause strcmp() to access freed memory.

The issue occurs in the EA iteration loop where next_ea() can produce
invalid pointers due to insufficient validation of ea->namelen and
the calculated next EA position. This can lead to accessing memory
that has been freed or is outside valid boundaries.

Add proper bounds checking to ensure:
1. EA namelen is reasonable (< 256)
2. EA structure doesn't exceed the EA area bounds  
3. next_ea() result stays within valid EA boundaries

Reported-by: syzbot+fa88eb476e42878f2844@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Arnav Kapoor <kapoorarnav43@gmail.com>
---
 fs/hpfs/ea.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/fs/hpfs/ea.c b/fs/hpfs/ea.c
index 102ba18e561f..7e6e43010fec 100644
--- a/fs/hpfs/ea.c
+++ b/fs/hpfs/ea.c
@@ -135,7 +135,31 @@ char *hpfs_get_ea(struct super_block *s, struct fnode 
*fnode, char *key, int *si
  secno a;
  struct extended_attribute *ea;
  struct extended_attribute *ea_end = fnode_end_ea(fnode);
- for (ea = fnode_ea(fnode); ea < ea_end; ea = next_ea(ea))
+ for (ea = fnode_ea(fnode); ea < ea_end; ea = next_ea(ea)) {
+ /* Validate EA structure bounds */
+ if ((char *)ea + sizeof(*ea) > (char *)ea_end) {
+ hpfs_error(s, "EA structure exceeds bounds");
+ return NULL;
+ }
+ 
+ /* Validate namelen to prevent overflow */
+ if (ea->namelen >= 256) {
+ hpfs_error(s, "EA namelen too large: %d", ea->namelen);
+ return NULL;
+ }
+ 
+ /* Ensure name field is within bounds */
+ if ((char *)ea + 5 + ea->namelen > (char *)ea_end) {
+ hpfs_error(s, "EA name field exceeds bounds");
+ return NULL;
+ }
+ 
+ /* Validate next_ea() result will be within bounds */
+ if (next_ea(ea) > ea_end) {
+ hpfs_error(s, "next EA exceeds bounds");
+ return NULL;
+ }
+ 
  if (!strcmp(ea->name, key)) {
  if (ea_indirect(ea))
  return get_indirect_ea(s, ea_in_anode(ea), ea_sec(ea), *size = 
ea_len(ea));
@@ -147,6 +171,7 @@ char *hpfs_get_ea(struct super_block *s, struct fnode 
*fnode, char *key, int *si
  ret[ea_valuelen(ea)] = 0;
  return ret;
  }
+ }
  a = le32_to_cpu(fnode->ea_secno);
  len = le32_to_cpu(fnode->ea_size_l);
  ano = fnode_in_anode(fnode);


On Friday, 18 July 2025 at 18:10:08 UTC+5:30 syzbot wrote:

Hello, 

syzbot tried to test the proposed patch but the build/boot failed: 

failed to apply patch: 
checking file fs/hpfs/ea.c 
patch: **** malformed patch at line 36: if (ea_indirect(ea)) 




Tested on: 

commit: 6832a931 Merge tag 'net-6.16-rc7' of git://git.kernel... 
git tree: upstream 
kernel config: https://syzkaller.appspot.com/x/.config?x=f09d04131ef56b22 
dashboard link: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844 
compiler: 
patch: https://syzkaller.appspot.com/x/patch.diff?x=129db382580000