* [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr
@ 2025-11-10 18:09 syzbot
2025-11-11 1:31 ` Forwarded: [PATCH] ocfs2: validate xattr entry count to prevent use-after-free syzbot
` (4 more replies)
0 siblings, 5 replies; 11+ messages in thread
From: syzbot @ 2025-11-10 18:09 UTC (permalink / raw)
To: jlbec, joseph.qi, linux-kernel, mark, ocfs2-devel, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: e424ed997df8 Merge remote-tracking branch 'will/for-next/p..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=1739c412580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b8b659f0cab27b22
dashboard link: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1531aa92580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1361d084580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ada05b916921/disk-e424ed99.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/674414e6bfd1/vmlinux-e424ed99.xz
kernel image: https://storage.googleapis.com/syzbot-assets/67ca98bd56a6/Image-e424ed99.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/5d507ac2b3e1/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=11310412580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com
On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.
OCFS2: File system is now read-only.
==================================================================
BUG: KASAN: use-after-free in ocfs2_xattr_get_type fs/ocfs2/ocfs2_fs.h:1114 [inline]
BUG: KASAN: use-after-free in ocfs2_xattr_list_entries fs/ocfs2/xattr.c:934 [inline]
BUG: KASAN: use-after-free in ocfs2_xattr_ibody_list fs/ocfs2/xattr.c:982 [inline]
BUG: KASAN: use-after-free in ocfs2_listxattr+0x408/0xa74 fs/ocfs2/xattr.c:1044
Read of size 1 at addr ffff0000eba98007 by task syz.0.17/6724
CPU: 1 UID: 0 PID: 6724 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_address_description+0xa8/0x238 mm/kasan/report.c:378
print_report+0x68/0x84 mm/kasan/report.c:482
kasan_report+0xb0/0x110 mm/kasan/report.c:595
__asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378
ocfs2_xattr_get_type fs/ocfs2/ocfs2_fs.h:1114 [inline]
ocfs2_xattr_list_entries fs/ocfs2/xattr.c:934 [inline]
ocfs2_xattr_ibody_list fs/ocfs2/xattr.c:982 [inline]
ocfs2_listxattr+0x408/0xa74 fs/ocfs2/xattr.c:1044
vfs_listxattr+0xc0/0x128 fs/xattr.c:493
ovl_listxattr+0xd8/0x49c fs/overlayfs/xattrs.c:123
vfs_listxattr fs/xattr.c:493 [inline]
listxattr+0x10c/0x380 fs/xattr.c:924
filename_listxattr fs/xattr.c:958 [inline]
path_listxattrat+0x15c/0x33c fs/xattr.c:988
__do_sys_listxattr fs/xattr.c:1001 [inline]
__se_sys_listxattr fs/xattr.c:998 [inline]
__arm64_sys_listxattr+0x84/0x98 fs/xattr.c:998
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:746
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:765
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffb730e pfn:0x12ba98
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffdffc3aeb708 fffffdffc3aeb888 0000000000000000
raw: 0000000ffffb730e 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000eba97f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000eba97f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000eba98000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000eba98080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000eba98100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 11+ messages in thread* Forwarded: [PATCH] ocfs2: validate xattr entry count to prevent use-after-free 2025-11-10 18:09 [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr syzbot @ 2025-11-11 1:31 ` syzbot 2025-11-11 4:29 ` Forwarded: [PATCH] ocfs2: validate xattr header in ocfs2_validate_inode_block syzbot ` (3 subsequent siblings) 4 siblings, 0 replies; 11+ messages in thread From: syzbot @ 2025-11-11 1:31 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ocfs2: validate xattr entry count to prevent use-after-free Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci The ocfs2_xattr_list_entries() function does not validate the xh_count field read from the on-disk xattr header. When processing a corrupted filesystem image, an invalid xh_count value causes the loop to iterate beyond the bounds of the allocated block. This leads to out-of-bounds memory access, potentially reaching freed pages and triggering use-after-free bugs detected by KASAN. The issue occurs because: 1. xh_count is read directly from disk without validation 2. The loop uses this value to access header->xh_entries[i] 3. When xh_count exceeds the block capacity, entry pointers extend beyond the allocated memory 4. Accessing these out-of-bounds pointers can reach freed memory Fix this by validating that xh_count does not exceed the maximum number of entries that can fit within the block before accessing the entries array. Calculate the maximum as: (block_size - header_size) / entry_size If validation fails, log an error and return -EUCLEAN to indicate filesystem corruption. Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ocfs2/xattr.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index d70a20d29e3e..db352df00101 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -928,8 +928,20 @@ static int ocfs2_xattr_list_entries(struct inode *inode, size_t result = 0; int i, type, ret; const char *name; - - for (i = 0 ; i < le16_to_cpu(header->xh_count); i++) { + u16 count; + size_t max_entries; + struct super_block *sb = inode->i_sb; + count = le16_to_cpu(header->xh_count); + max_entries = (sb->s_blocksize - sizeof(struct ocfs2_xattr_header)) / + sizeof(struct ocfs2_xattr_entry); + if (count > max_entries) { + mlog(ML_ERROR, + "xattr entry count %u exceeds maximum %zu in inode %llu\n", + count, max_entries, + (unsigned long long)OCFS2_I(inode)->ip_blkno); + return -EUCLEAN; + } + for (i = 0 ; i < count; i++) { struct ocfs2_xattr_entry *entry = &header->xh_entries[i]; type = ocfs2_xattr_get_type(entry); name = (const char *)header + -- 2.43.0 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Forwarded: [PATCH] ocfs2: validate xattr header in ocfs2_validate_inode_block 2025-11-10 18:09 [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr syzbot 2025-11-11 1:31 ` Forwarded: [PATCH] ocfs2: validate xattr entry count to prevent use-after-free syzbot @ 2025-11-11 4:29 ` syzbot 2025-11-11 4:40 ` syzbot ` (2 subsequent siblings) 4 siblings, 0 replies; 11+ messages in thread From: syzbot @ 2025-11-11 4:29 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ocfs2: validate xattr header in ocfs2_validate_inode_block Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci Add validation of inline xattr header fields when validating inode blocks to catch corruption early before the inode is used by the system. This prevents corrupted xattr counts from causing out-of-bounds access and use-after-free bugs in xattr processing code. The validation checks: 1. xattr_inline_size does not exceed block size 2. xattr_inline_size is large enough for header structure 3. xattr entry count does not exceed available space This moves validation to the inode block validation stage, providing comprehensive protection for all code paths that access inline xattrs. Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ocfs2/inode.c | 41 +++++++++++++++++++++++++++++++++++++++++ fs/ocfs2/xattr.c | 16 ++++++++++++++-- 2 files changed, 55 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c index fcc89856ab95..9d5342b8dbc6 100644 --- a/fs/ocfs2/inode.c +++ b/fs/ocfs2/inode.c @@ -1458,6 +1458,47 @@ int ocfs2_validate_inode_block(struct super_block *sb, (unsigned long long)bh->b_blocknr); goto bail; } + if (di->i_dyn_features & cpu_to_le16(OCFS2_INLINE_XATTR_FL)) { + struct ocfs2_xattr_header *header; + u16 xattr_inline_size; + u16 xattr_count; + size_t max_entries; + + xattr_inline_size = le16_to_cpu(di->i_xattr_inline_size); + + /* Validate inline size is within block bounds */ + if (xattr_inline_size > sb->s_blocksize) { + mlog(ML_ERROR, + "xattr inline size %u exceeds block size %lu in inode %llu\n", + xattr_inline_size, sb->s_blocksize, + (unsigned long long)bh->b_blocknr); + goto bail; + } + /* If there's xattr data, validate it */ + if (xattr_inline_size > 0) { + /* Must be at least big enough for header */ + if (xattr_inline_size < sizeof(struct ocfs2_xattr_header)) { + mlog(ML_ERROR, + "xattr inline size %u too small for header in inode %llu\n", + xattr_inline_size, + (unsigned long long)bh->b_blocknr); + goto bail; + } + header = (struct ocfs2_xattr_header *) + ((void *)di + sb->s_blocksize - xattr_inline_size); + xattr_count = le16_to_cpu(header->xh_count); + max_entries = (xattr_inline_size - + sizeof(struct ocfs2_xattr_header)) / + sizeof(struct ocfs2_xattr_entry); + if (xattr_count > max_entries) { + mlog(ML_ERROR, + "xattr count %u exceeds maximum %zu in inode %llu\n", + xattr_count, max_entries, + (unsigned long long)bh->b_blocknr); + goto bail; + } + } + } /* * Errors after here are fatal. diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index d70a20d29e3e..db352df00101 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -928,8 +928,21 @@ static int ocfs2_xattr_list_entries(struct inode *inode, size_t result = 0; int i, type, ret; const char *name; - - for (i = 0 ; i < le16_to_cpu(header->xh_count); i++) { + u16 count; + size_t max_entries; + struct super_block *sb = inode->i_sb; + + count = le16_to_cpu(header->xh_count); + max_entries = (sb->s_blocksize - sizeof(struct ocfs2_xattr_header)) / + sizeof(struct ocfs2_xattr_entry); + if (count > max_entries) { + mlog(ML_ERROR, + "xattr entry count %u exceeds maximum %zu in inode %llu\n", + count, max_entries, + (unsigned long long)OCFS2_I(inode)->ip_blkno); + return -EUCLEAN; + } + for (i = 0 ; i < count; i++) { struct ocfs2_xattr_entry *entry = &header->xh_entries[i]; type = ocfs2_xattr_get_type(entry); name = (const char *)header + -- 2.43.0 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Forwarded: [PATCH] ocfs2: validate xattr header in ocfs2_validate_inode_block 2025-11-10 18:09 [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr syzbot 2025-11-11 1:31 ` Forwarded: [PATCH] ocfs2: validate xattr entry count to prevent use-after-free syzbot 2025-11-11 4:29 ` Forwarded: [PATCH] ocfs2: validate xattr header in ocfs2_validate_inode_block syzbot @ 2025-11-11 4:40 ` syzbot 2025-11-11 6:06 ` Forwarded: [PATCH] ocfs2: validate xattr entry count in ocfs2_validate_xattr_block syzbot 2025-11-17 9:17 ` Forwarded: [PATCH v3] ocfs2: validate xattr entry count in ocfs2_xattr_ibody_list syzbot 4 siblings, 0 replies; 11+ messages in thread From: syzbot @ 2025-11-11 4:40 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ocfs2: validate xattr header in ocfs2_validate_inode_block Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci Add validation of inline xattr header fields when validating inode blocks to catch corruption early before the inode is used by the system. This prevents corrupted xattr counts from causing out-of-bounds access and use-after-free bugs in xattr processing code. The validation checks: 1. xattr_inline_size does not exceed block size 2. xattr_inline_size is large enough for header structure 3. xattr entry count does not exceed available space This moves validation to the inode block validation stage, providing comprehensive protection for all code paths that access inline xattrs. Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ocfs2/inode.c | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c index fcc89856ab95..9d5342b8dbc6 100644 --- a/fs/ocfs2/inode.c +++ b/fs/ocfs2/inode.c @@ -1458,6 +1458,47 @@ int ocfs2_validate_inode_block(struct super_block *sb, (unsigned long long)bh->b_blocknr); goto bail; } + if (di->i_dyn_features & cpu_to_le16(OCFS2_INLINE_XATTR_FL)) { + struct ocfs2_xattr_header *header; + u16 xattr_inline_size; + u16 xattr_count; + size_t max_entries; + + xattr_inline_size = le16_to_cpu(di->i_xattr_inline_size); + + /* Validate inline size is within block bounds */ + if (xattr_inline_size > sb->s_blocksize) { + mlog(ML_ERROR, + "xattr inline size %u exceeds block size %lu in inode %llu\n", + xattr_inline_size, sb->s_blocksize, + (unsigned long long)bh->b_blocknr); + goto bail; + } + /* If there's xattr data, validate it */ + if (xattr_inline_size > 0) { + /* Must be at least big enough for header */ + if (xattr_inline_size < sizeof(struct ocfs2_xattr_header)) { + mlog(ML_ERROR, + "xattr inline size %u too small for header in inode %llu\n", + xattr_inline_size, + (unsigned long long)bh->b_blocknr); + goto bail; + } + header = (struct ocfs2_xattr_header *) + ((void *)di + sb->s_blocksize - xattr_inline_size); + xattr_count = le16_to_cpu(header->xh_count); + max_entries = (xattr_inline_size - + sizeof(struct ocfs2_xattr_header)) / + sizeof(struct ocfs2_xattr_entry); + if (xattr_count > max_entries) { + mlog(ML_ERROR, + "xattr count %u exceeds maximum %zu in inode %llu\n", + xattr_count, max_entries, + (unsigned long long)bh->b_blocknr); + goto bail; + } + } + } /* * Errors after here are fatal. -- 2.43.0 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Forwarded: [PATCH] ocfs2: validate xattr entry count in ocfs2_validate_xattr_block 2025-11-10 18:09 [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr syzbot ` (2 preceding siblings ...) 2025-11-11 4:40 ` syzbot @ 2025-11-11 6:06 ` syzbot 2025-11-17 9:17 ` Forwarded: [PATCH v3] ocfs2: validate xattr entry count in ocfs2_xattr_ibody_list syzbot 4 siblings, 0 replies; 11+ messages in thread From: syzbot @ 2025-11-11 6:06 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ocfs2: validate xattr entry count in ocfs2_validate_xattr_block Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci Add validation of xattr entry count when validating external xattr blocks to catch corruption early before the block is used by the system. This prevents corrupted xattr counts from causing out-of-bounds access and use-after-free bugs when processing xattr entries. The validation ensures that xh_count does not exceed the maximum number of entries that can fit within the block. Without this check, a corrupted filesystem image with an invalid xh_count can cause the code to iterate beyond the allocated block boundary, potentially accessing freed memory pages. The check is added to ocfs2_validate_xattr_block() which is called when reading xattr blocks from disk, providing protection for all code paths that subsequently access the xattr entries. This follows the same pattern as other validation checks in the function. This patch complements the inline xattr validation added to ocfs2_validate_inode_block(), providing comprehensive protection for both inline and external xattr storage. Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9 Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- fs/ocfs2/xattr.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index d70a20d29e3e..3d21f2b9966e 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -470,7 +470,23 @@ static int ocfs2_validate_xattr_block(struct super_block *sb, trace_ocfs2_validate_xattr_block((unsigned long long)bh->b_blocknr); BUG_ON(!buffer_uptodate(bh)); - + if (!(le16_to_cpu(xb->xb_flags) & OCFS2_XATTR_INDEXED)) { + struct ocfs2_xattr_header *header = &xb->xb_attrs.xb_header; + u16 xattr_count; + size_t max_entries; + + xattr_count = le16_to_cpu(header->xh_count); + max_entries = (sb->s_blocksize - + offsetof(struct ocfs2_xattr_block, xb_attrs.xb_header) - + sizeof(struct ocfs2_xattr_header)) / + sizeof(struct ocfs2_xattr_entry); + if (xattr_count > max_entries) { + return ocfs2_error(sb, + "Extended attribute block #%llu has invalid xattr count %u (max %zu)\n", + (unsigned long long)bh->b_blocknr, + xattr_count, max_entries); + } + } /* * If the ecc fails, we return the error but otherwise * leave the filesystem running. We know any error is -- 2.43.0 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Forwarded: [PATCH v3] ocfs2: validate xattr entry count in ocfs2_xattr_ibody_list 2025-11-10 18:09 [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr syzbot ` (3 preceding siblings ...) 2025-11-11 6:06 ` Forwarded: [PATCH] ocfs2: validate xattr entry count in ocfs2_validate_xattr_block syzbot @ 2025-11-17 9:17 ` syzbot 4 siblings, 0 replies; 11+ messages in thread From: syzbot @ 2025-11-17 9:17 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH v3] ocfs2: validate xattr entry count in ocfs2_xattr_ibody_list Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci Add validation of inline xattr size and entry count in ocfs2_xattr_ibody_list() to prevent out-of-bounds access and use-after-free bugs when processing corrupted inline xattrs. The validation performs two checks: 1. Validates i_xattr_inline_size is within reasonable bounds (not larger than block size and at least large enough for the xattr header) 2. Validates xattr entry count does not exceed the maximum that can fit in the inline xattr space Without these checks, a corrupted filesystem with invalid inline xattr size or entry count can cause the code to access memory beyond the allocated space, potentially reaching freed memory pages and triggering KASAN use-after-free detection. This fix addresses the syzbot-reported bug by validating inline xattr metadata before use, using the correct inline size calculation rather than block size. Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9 Link: https://lore.kernel.org/all/20251111073831.2027072-1-kartikey406@gmail.com/ [v1] Link: https://lore.kernel.org/all/20251117063217.5690-1-kartikey406@gmail.com/T/ [v2] Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> --- Changes in v3: - Moved validation from ocfs2_xattr_list_entries() to ocfs2_xattr_ibody_list() to use correct inline size calculation (suggested by Heming Zhao) - Added validation of i_xattr_inline_size before use - Changed return value to -EFSCORRUPTED for consistency --- fs/ocfs2/xattr.c | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index d70a20d29e3e..98fd4f3f2d2d 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -971,13 +971,39 @@ static int ocfs2_xattr_ibody_list(struct inode *inode, struct ocfs2_xattr_header *header = NULL; struct ocfs2_inode_info *oi = OCFS2_I(inode); int ret = 0; + u16 xattr_count; + size_t max_entries; + u16 inline_size; if (!(oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) return ret; + inline_size = le16_to_cpu(di->i_xattr_inline_size); + + /* Validate inline size is reasonable */ + if (inline_size > inode->i_sb->s_blocksize || + inline_size < sizeof(struct ocfs2_xattr_header)) { + ocfs2_error(inode->i_sb, + "Invalid xattr inline size %u in inode %llu\n", + inline_size, + (unsigned long long)OCFS2_I(inode)->ip_blkno); + return -EFSCORRUPTED; + } + header = (struct ocfs2_xattr_header *) - ((void *)di + inode->i_sb->s_blocksize - - le16_to_cpu(di->i_xattr_inline_size)); + ((void *)di + inode->i_sb->s_blocksize - inline_size); + + xattr_count = le16_to_cpu(header->xh_count); + max_entries = (inline_size - sizeof(struct ocfs2_xattr_header)) / + sizeof(struct ocfs2_xattr_entry); + + if (xattr_count > max_entries) { + ocfs2_error(inode->i_sb, + "xattr entry count %u exceeds maximum %zu in inode %llu\n", + xattr_count, max_entries, + (unsigned long long)OCFS2_I(inode)->ip_blkno); + return -EFSCORRUPTED; + } ret = ocfs2_xattr_list_entries(inode, header, buffer, buffer_size); -- 2.43.0 ^ permalink raw reply related [flat|nested] 11+ messages in thread
[parent not found: <20251111013052.1801231-1-kartikey406@gmail.com>]
* Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr [not found] <20251111013052.1801231-1-kartikey406@gmail.com> @ 2025-11-11 3:17 ` syzbot 0 siblings, 0 replies; 11+ messages in thread From: syzbot @ 2025-11-11 3:17 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com Tested-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com Tested on: commit: e424ed99 Merge remote-tracking branch 'will/for-next/p.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci console output: https://syzkaller.appspot.com/x/log.txt?x=14150658580000 kernel config: https://syzkaller.appspot.com/x/.config?x=b8b659f0cab27b22 dashboard link: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 userspace arch: arm64 patch: https://syzkaller.appspot.com/x/patch.diff?x=1789960a580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 11+ messages in thread
[parent not found: <20251111042938.2015551-1-kartikey406@gmail.com>]
* Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr [not found] <20251111042938.2015551-1-kartikey406@gmail.com> @ 2025-11-11 5:34 ` syzbot 0 siblings, 0 replies; 11+ messages in thread From: syzbot @ 2025-11-11 5:34 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com Tested-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com Tested on: commit: e424ed99 Merge remote-tracking branch 'will/for-next/p.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci console output: https://syzkaller.appspot.com/x/log.txt?x=16ac6c12580000 kernel config: https://syzkaller.appspot.com/x/.config?x=b8b659f0cab27b22 dashboard link: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 userspace arch: arm64 patch: https://syzkaller.appspot.com/x/patch.diff?x=16a1a7cd980000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 11+ messages in thread
[parent not found: <20251111044000.2016410-1-kartikey406@gmail.com>]
* Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr [not found] <20251111044000.2016410-1-kartikey406@gmail.com> @ 2025-11-11 6:02 ` syzbot 0 siblings, 0 replies; 11+ messages in thread From: syzbot @ 2025-11-11 6:02 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: use-after-free Read in ocfs2_listxattr On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted. OCFS2: File system is now read-only. ================================================================== BUG: KASAN: use-after-free in ocfs2_xattr_get_type fs/ocfs2/ocfs2_fs.h:1114 [inline] BUG: KASAN: use-after-free in ocfs2_xattr_list_entries fs/ocfs2/xattr.c:934 [inline] BUG: KASAN: use-after-free in ocfs2_xattr_ibody_list fs/ocfs2/xattr.c:982 [inline] BUG: KASAN: use-after-free in ocfs2_listxattr+0x408/0xa74 fs/ocfs2/xattr.c:1044 Read of size 1 at addr ffff0000e76a4007 by task syz.0.20/7236 CPU: 1 UID: 0 PID: 7236 Comm: syz.0.20 Not tainted syzkaller #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x238 mm/kasan/report.c:378 print_report+0x68/0x84 mm/kasan/report.c:482 kasan_report+0xb0/0x110 mm/kasan/report.c:595 __asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378 ocfs2_xattr_get_type fs/ocfs2/ocfs2_fs.h:1114 [inline] ocfs2_xattr_list_entries fs/ocfs2/xattr.c:934 [inline] ocfs2_xattr_ibody_list fs/ocfs2/xattr.c:982 [inline] ocfs2_listxattr+0x408/0xa74 fs/ocfs2/xattr.c:1044 vfs_listxattr+0xc0/0x128 fs/xattr.c:493 ovl_listxattr+0xd8/0x49c fs/overlayfs/xattrs.c:123 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x10c/0x380 fs/xattr.c:924 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x15c/0x33c fs/xattr.c:988 __do_sys_listxattr fs/xattr.c:1001 [inline] __se_sys_listxattr fs/xattr.c:998 [inline] __arm64_sys_listxattr+0x84/0x98 fs/xattr.c:998 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:746 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:765 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffb9581 pfn:0x1276a4 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000000000 fffffdffc3a50548 fffffdffc39dab88 0000000000000000 raw: 0000000ffffb9581 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000e76a3f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000e76a3f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff0000e76a4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff0000e76a4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff0000e76a4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Tested on: commit: e424ed99 Merge remote-tracking branch 'will/for-next/p.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci console output: https://syzkaller.appspot.com/x/log.txt?x=12f30658580000 kernel config: https://syzkaller.appspot.com/x/.config?x=b8b659f0cab27b22 dashboard link: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 userspace arch: arm64 patch: https://syzkaller.appspot.com/x/patch.diff?x=1566f17c580000 ^ permalink raw reply [flat|nested] 11+ messages in thread
[parent not found: <20251111060615.2022366-1-kartikey406@gmail.com>]
* Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr [not found] <20251111060615.2022366-1-kartikey406@gmail.com> @ 2025-11-11 7:09 ` syzbot 0 siblings, 0 replies; 11+ messages in thread From: syzbot @ 2025-11-11 7:09 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: use-after-free Read in ocfs2_listxattr On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted. OCFS2: File system is now read-only. ================================================================== BUG: KASAN: use-after-free in ocfs2_xattr_get_type fs/ocfs2/ocfs2_fs.h:1114 [inline] BUG: KASAN: use-after-free in ocfs2_xattr_list_entries fs/ocfs2/xattr.c:950 [inline] BUG: KASAN: use-after-free in ocfs2_xattr_ibody_list fs/ocfs2/xattr.c:998 [inline] BUG: KASAN: use-after-free in ocfs2_listxattr+0x408/0xa74 fs/ocfs2/xattr.c:1060 Read of size 1 at addr ffff0000ea596007 by task syz.0.17/7218 CPU: 1 UID: 0 PID: 7218 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x238 mm/kasan/report.c:378 print_report+0x68/0x84 mm/kasan/report.c:482 kasan_report+0xb0/0x110 mm/kasan/report.c:595 __asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378 ocfs2_xattr_get_type fs/ocfs2/ocfs2_fs.h:1114 [inline] ocfs2_xattr_list_entries fs/ocfs2/xattr.c:950 [inline] ocfs2_xattr_ibody_list fs/ocfs2/xattr.c:998 [inline] ocfs2_listxattr+0x408/0xa74 fs/ocfs2/xattr.c:1060 vfs_listxattr+0xc0/0x128 fs/xattr.c:493 ovl_listxattr+0xd8/0x49c fs/overlayfs/xattrs.c:123 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x10c/0x380 fs/xattr.c:924 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x15c/0x33c fs/xattr.c:988 __do_sys_listxattr fs/xattr.c:1001 [inline] __se_sys_listxattr fs/xattr.c:998 [inline] __arm64_sys_listxattr+0x84/0x98 fs/xattr.c:998 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:746 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:765 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffa3920 pfn:0x12a596 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000000000 fffffdffc39b8408 fffffdffc3a3f9c8 0000000000000000 raw: 0000000ffffa3920 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000ea595f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000ea595f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff0000ea596000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff0000ea596080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff0000ea596100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Tested on: commit: e424ed99 Merge remote-tracking branch 'will/for-next/p.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci console output: https://syzkaller.appspot.com/x/log.txt?x=1594b0b4580000 kernel config: https://syzkaller.appspot.com/x/.config?x=b8b659f0cab27b22 dashboard link: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 userspace arch: arm64 patch: https://syzkaller.appspot.com/x/patch.diff?x=10c80692580000 ^ permalink raw reply [flat|nested] 11+ messages in thread
[parent not found: <20251117091717.9916-1-kartikey406@gmail.com>]
* Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr [not found] <20251117091717.9916-1-kartikey406@gmail.com> @ 2025-11-17 11:32 ` syzbot 0 siblings, 0 replies; 11+ messages in thread From: syzbot @ 2025-11-17 11:32 UTC (permalink / raw) To: kartikey406, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com Tested-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com Tested on: commit: db9030a7 Merge remote-tracking branch 'will/for-next/p.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci console output: https://syzkaller.appspot.com/x/log.txt?x=14f6e658580000 kernel config: https://syzkaller.appspot.com/x/.config?x=fdc83aa8a8b9d1ae dashboard link: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 userspace arch: arm64 patch: https://syzkaller.appspot.com/x/patch.diff?x=16040fcd980000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2025-11-17 11:32 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-10 18:09 [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr syzbot
2025-11-11 1:31 ` Forwarded: [PATCH] ocfs2: validate xattr entry count to prevent use-after-free syzbot
2025-11-11 4:29 ` Forwarded: [PATCH] ocfs2: validate xattr header in ocfs2_validate_inode_block syzbot
2025-11-11 4:40 ` syzbot
2025-11-11 6:06 ` Forwarded: [PATCH] ocfs2: validate xattr entry count in ocfs2_validate_xattr_block syzbot
2025-11-17 9:17 ` Forwarded: [PATCH v3] ocfs2: validate xattr entry count in ocfs2_xattr_ibody_list syzbot
[not found] <20251111013052.1801231-1-kartikey406@gmail.com>
2025-11-11 3:17 ` [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr syzbot
[not found] <20251111042938.2015551-1-kartikey406@gmail.com>
2025-11-11 5:34 ` syzbot
[not found] <20251111044000.2016410-1-kartikey406@gmail.com>
2025-11-11 6:02 ` syzbot
[not found] <20251111060615.2022366-1-kartikey406@gmail.com>
2025-11-11 7:09 ` syzbot
[not found] <20251117091717.9916-1-kartikey406@gmail.com>
2025-11-17 11:32 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox