* Forwarded: [PATCH] ocfs2: validate xattr entry count to prevent use-after-free
2025-11-10 18:09 [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr syzbot
@ 2025-11-11 1:31 ` syzbot
2025-11-11 4:29 ` Forwarded: [PATCH] ocfs2: validate xattr header in ocfs2_validate_inode_block syzbot
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2025-11-11 1:31 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] ocfs2: validate xattr entry count to prevent use-after-free
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
The ocfs2_xattr_list_entries() function does not validate the
xh_count field read from the on-disk xattr header. When processing
a corrupted filesystem image, an invalid xh_count value causes the
loop to iterate beyond the bounds of the allocated block. This leads
to out-of-bounds memory access, potentially reaching freed pages and
triggering use-after-free bugs detected by KASAN.
The issue occurs because:
1. xh_count is read directly from disk without validation
2. The loop uses this value to access header->xh_entries[i]
3. When xh_count exceeds the block capacity, entry pointers extend
beyond the allocated memory
4. Accessing these out-of-bounds pointers can reach freed memory
Fix this by validating that xh_count does not exceed the maximum
number of entries that can fit within the block before accessing
the entries array. Calculate the maximum as:
(block_size - header_size) / entry_size
If validation fails, log an error and return -EUCLEAN to indicate
filesystem corruption.
Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
fs/ocfs2/xattr.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index d70a20d29e3e..db352df00101 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -928,8 +928,20 @@ static int ocfs2_xattr_list_entries(struct inode *inode,
size_t result = 0;
int i, type, ret;
const char *name;
-
- for (i = 0 ; i < le16_to_cpu(header->xh_count); i++) {
+ u16 count;
+ size_t max_entries;
+ struct super_block *sb = inode->i_sb;
+ count = le16_to_cpu(header->xh_count);
+ max_entries = (sb->s_blocksize - sizeof(struct ocfs2_xattr_header)) /
+ sizeof(struct ocfs2_xattr_entry);
+ if (count > max_entries) {
+ mlog(ML_ERROR,
+ "xattr entry count %u exceeds maximum %zu in inode %llu\n",
+ count, max_entries,
+ (unsigned long long)OCFS2_I(inode)->ip_blkno);
+ return -EUCLEAN;
+ }
+ for (i = 0 ; i < count; i++) {
struct ocfs2_xattr_entry *entry = &header->xh_entries[i];
type = ocfs2_xattr_get_type(entry);
name = (const char *)header +
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* Forwarded: [PATCH] ocfs2: validate xattr header in ocfs2_validate_inode_block
2025-11-10 18:09 [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr syzbot
2025-11-11 1:31 ` Forwarded: [PATCH] ocfs2: validate xattr entry count to prevent use-after-free syzbot
@ 2025-11-11 4:29 ` syzbot
2025-11-11 4:40 ` syzbot
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2025-11-11 4:29 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] ocfs2: validate xattr header in ocfs2_validate_inode_block
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
Add validation of inline xattr header fields when validating inode
blocks to catch corruption early before the inode is used by the
system. This prevents corrupted xattr counts from causing out-of-bounds
access and use-after-free bugs in xattr processing code.
The validation checks:
1. xattr_inline_size does not exceed block size
2. xattr_inline_size is large enough for header structure
3. xattr entry count does not exceed available space
This moves validation to the inode block validation stage, providing
comprehensive protection for all code paths that access inline xattrs.
Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
fs/ocfs2/inode.c | 41 +++++++++++++++++++++++++++++++++++++++++
fs/ocfs2/xattr.c | 16 ++++++++++++++--
2 files changed, 55 insertions(+), 2 deletions(-)
diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
index fcc89856ab95..9d5342b8dbc6 100644
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1458,6 +1458,47 @@ int ocfs2_validate_inode_block(struct super_block *sb,
(unsigned long long)bh->b_blocknr);
goto bail;
}
+ if (di->i_dyn_features & cpu_to_le16(OCFS2_INLINE_XATTR_FL)) {
+ struct ocfs2_xattr_header *header;
+ u16 xattr_inline_size;
+ u16 xattr_count;
+ size_t max_entries;
+
+ xattr_inline_size = le16_to_cpu(di->i_xattr_inline_size);
+
+ /* Validate inline size is within block bounds */
+ if (xattr_inline_size > sb->s_blocksize) {
+ mlog(ML_ERROR,
+ "xattr inline size %u exceeds block size %lu in inode %llu\n",
+ xattr_inline_size, sb->s_blocksize,
+ (unsigned long long)bh->b_blocknr);
+ goto bail;
+ }
+ /* If there's xattr data, validate it */
+ if (xattr_inline_size > 0) {
+ /* Must be at least big enough for header */
+ if (xattr_inline_size < sizeof(struct ocfs2_xattr_header)) {
+ mlog(ML_ERROR,
+ "xattr inline size %u too small for header in inode %llu\n",
+ xattr_inline_size,
+ (unsigned long long)bh->b_blocknr);
+ goto bail;
+ }
+ header = (struct ocfs2_xattr_header *)
+ ((void *)di + sb->s_blocksize - xattr_inline_size);
+ xattr_count = le16_to_cpu(header->xh_count);
+ max_entries = (xattr_inline_size -
+ sizeof(struct ocfs2_xattr_header)) /
+ sizeof(struct ocfs2_xattr_entry);
+ if (xattr_count > max_entries) {
+ mlog(ML_ERROR,
+ "xattr count %u exceeds maximum %zu in inode %llu\n",
+ xattr_count, max_entries,
+ (unsigned long long)bh->b_blocknr);
+ goto bail;
+ }
+ }
+ }
/*
* Errors after here are fatal.
diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index d70a20d29e3e..db352df00101 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -928,8 +928,21 @@ static int ocfs2_xattr_list_entries(struct inode *inode,
size_t result = 0;
int i, type, ret;
const char *name;
-
- for (i = 0 ; i < le16_to_cpu(header->xh_count); i++) {
+ u16 count;
+ size_t max_entries;
+ struct super_block *sb = inode->i_sb;
+
+ count = le16_to_cpu(header->xh_count);
+ max_entries = (sb->s_blocksize - sizeof(struct ocfs2_xattr_header)) /
+ sizeof(struct ocfs2_xattr_entry);
+ if (count > max_entries) {
+ mlog(ML_ERROR,
+ "xattr entry count %u exceeds maximum %zu in inode %llu\n",
+ count, max_entries,
+ (unsigned long long)OCFS2_I(inode)->ip_blkno);
+ return -EUCLEAN;
+ }
+ for (i = 0 ; i < count; i++) {
struct ocfs2_xattr_entry *entry = &header->xh_entries[i];
type = ocfs2_xattr_get_type(entry);
name = (const char *)header +
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* Forwarded: [PATCH] ocfs2: validate xattr header in ocfs2_validate_inode_block
2025-11-10 18:09 [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr syzbot
2025-11-11 1:31 ` Forwarded: [PATCH] ocfs2: validate xattr entry count to prevent use-after-free syzbot
2025-11-11 4:29 ` Forwarded: [PATCH] ocfs2: validate xattr header in ocfs2_validate_inode_block syzbot
@ 2025-11-11 4:40 ` syzbot
2025-11-11 6:06 ` Forwarded: [PATCH] ocfs2: validate xattr entry count in ocfs2_validate_xattr_block syzbot
2025-11-17 9:17 ` Forwarded: [PATCH v3] ocfs2: validate xattr entry count in ocfs2_xattr_ibody_list syzbot
4 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2025-11-11 4:40 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] ocfs2: validate xattr header in ocfs2_validate_inode_block
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
Add validation of inline xattr header fields when validating inode
blocks to catch corruption early before the inode is used by the
system. This prevents corrupted xattr counts from causing out-of-bounds
access and use-after-free bugs in xattr processing code.
The validation checks:
1. xattr_inline_size does not exceed block size
2. xattr_inline_size is large enough for header structure
3. xattr entry count does not exceed available space
This moves validation to the inode block validation stage, providing
comprehensive protection for all code paths that access inline xattrs.
Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
fs/ocfs2/inode.c | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
index fcc89856ab95..9d5342b8dbc6 100644
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1458,6 +1458,47 @@ int ocfs2_validate_inode_block(struct super_block *sb,
(unsigned long long)bh->b_blocknr);
goto bail;
}
+ if (di->i_dyn_features & cpu_to_le16(OCFS2_INLINE_XATTR_FL)) {
+ struct ocfs2_xattr_header *header;
+ u16 xattr_inline_size;
+ u16 xattr_count;
+ size_t max_entries;
+
+ xattr_inline_size = le16_to_cpu(di->i_xattr_inline_size);
+
+ /* Validate inline size is within block bounds */
+ if (xattr_inline_size > sb->s_blocksize) {
+ mlog(ML_ERROR,
+ "xattr inline size %u exceeds block size %lu in inode %llu\n",
+ xattr_inline_size, sb->s_blocksize,
+ (unsigned long long)bh->b_blocknr);
+ goto bail;
+ }
+ /* If there's xattr data, validate it */
+ if (xattr_inline_size > 0) {
+ /* Must be at least big enough for header */
+ if (xattr_inline_size < sizeof(struct ocfs2_xattr_header)) {
+ mlog(ML_ERROR,
+ "xattr inline size %u too small for header in inode %llu\n",
+ xattr_inline_size,
+ (unsigned long long)bh->b_blocknr);
+ goto bail;
+ }
+ header = (struct ocfs2_xattr_header *)
+ ((void *)di + sb->s_blocksize - xattr_inline_size);
+ xattr_count = le16_to_cpu(header->xh_count);
+ max_entries = (xattr_inline_size -
+ sizeof(struct ocfs2_xattr_header)) /
+ sizeof(struct ocfs2_xattr_entry);
+ if (xattr_count > max_entries) {
+ mlog(ML_ERROR,
+ "xattr count %u exceeds maximum %zu in inode %llu\n",
+ xattr_count, max_entries,
+ (unsigned long long)bh->b_blocknr);
+ goto bail;
+ }
+ }
+ }
/*
* Errors after here are fatal.
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* Forwarded: [PATCH] ocfs2: validate xattr entry count in ocfs2_validate_xattr_block
2025-11-10 18:09 [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr syzbot
` (2 preceding siblings ...)
2025-11-11 4:40 ` syzbot
@ 2025-11-11 6:06 ` syzbot
2025-11-17 9:17 ` Forwarded: [PATCH v3] ocfs2: validate xattr entry count in ocfs2_xattr_ibody_list syzbot
4 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2025-11-11 6:06 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] ocfs2: validate xattr entry count in ocfs2_validate_xattr_block
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
Add validation of xattr entry count when validating external xattr
blocks to catch corruption early before the block is used by the
system. This prevents corrupted xattr counts from causing out-of-bounds
access and use-after-free bugs when processing xattr entries.
The validation ensures that xh_count does not exceed the maximum number
of entries that can fit within the block. Without this check, a
corrupted filesystem image with an invalid xh_count can cause the code
to iterate beyond the allocated block boundary, potentially accessing
freed memory pages.
The check is added to ocfs2_validate_xattr_block() which is called when
reading xattr blocks from disk, providing protection for all code paths
that subsequently access the xattr entries. This follows the same
pattern as other validation checks in the function.
This patch complements the inline xattr validation added to
ocfs2_validate_inode_block(), providing comprehensive protection for
both inline and external xattr storage.
Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
fs/ocfs2/xattr.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index d70a20d29e3e..3d21f2b9966e 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -470,7 +470,23 @@ static int ocfs2_validate_xattr_block(struct super_block *sb,
trace_ocfs2_validate_xattr_block((unsigned long long)bh->b_blocknr);
BUG_ON(!buffer_uptodate(bh));
-
+ if (!(le16_to_cpu(xb->xb_flags) & OCFS2_XATTR_INDEXED)) {
+ struct ocfs2_xattr_header *header = &xb->xb_attrs.xb_header;
+ u16 xattr_count;
+ size_t max_entries;
+
+ xattr_count = le16_to_cpu(header->xh_count);
+ max_entries = (sb->s_blocksize -
+ offsetof(struct ocfs2_xattr_block, xb_attrs.xb_header) -
+ sizeof(struct ocfs2_xattr_header)) /
+ sizeof(struct ocfs2_xattr_entry);
+ if (xattr_count > max_entries) {
+ return ocfs2_error(sb,
+ "Extended attribute block #%llu has invalid xattr count %u (max %zu)\n",
+ (unsigned long long)bh->b_blocknr,
+ xattr_count, max_entries);
+ }
+ }
/*
* If the ecc fails, we return the error but otherwise
* leave the filesystem running. We know any error is
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* Forwarded: [PATCH v3] ocfs2: validate xattr entry count in ocfs2_xattr_ibody_list
2025-11-10 18:09 [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr syzbot
` (3 preceding siblings ...)
2025-11-11 6:06 ` Forwarded: [PATCH] ocfs2: validate xattr entry count in ocfs2_validate_xattr_block syzbot
@ 2025-11-17 9:17 ` syzbot
4 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2025-11-17 9:17 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH v3] ocfs2: validate xattr entry count in ocfs2_xattr_ibody_list
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
Add validation of inline xattr size and entry count in
ocfs2_xattr_ibody_list() to prevent out-of-bounds access and
use-after-free bugs when processing corrupted inline xattrs.
The validation performs two checks:
1. Validates i_xattr_inline_size is within reasonable bounds (not larger
than block size and at least large enough for the xattr header)
2. Validates xattr entry count does not exceed the maximum that can fit
in the inline xattr space
Without these checks, a corrupted filesystem with invalid inline xattr
size or entry count can cause the code to access memory beyond the
allocated space, potentially reaching freed memory pages and triggering
KASAN use-after-free detection.
This fix addresses the syzbot-reported bug by validating inline xattr
metadata before use, using the correct inline size calculation rather
than block size.
Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9
Link: https://lore.kernel.org/all/20251111073831.2027072-1-kartikey406@gmail.com/ [v1]
Link: https://lore.kernel.org/all/20251117063217.5690-1-kartikey406@gmail.com/T/ [v2]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
Changes in v3:
- Moved validation from ocfs2_xattr_list_entries() to
ocfs2_xattr_ibody_list() to use correct inline size calculation
(suggested by Heming Zhao)
- Added validation of i_xattr_inline_size before use
- Changed return value to -EFSCORRUPTED for consistency
---
fs/ocfs2/xattr.c | 30 ++++++++++++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index d70a20d29e3e..98fd4f3f2d2d 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -971,13 +971,39 @@ static int ocfs2_xattr_ibody_list(struct inode *inode,
struct ocfs2_xattr_header *header = NULL;
struct ocfs2_inode_info *oi = OCFS2_I(inode);
int ret = 0;
+ u16 xattr_count;
+ size_t max_entries;
+ u16 inline_size;
if (!(oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL))
return ret;
+ inline_size = le16_to_cpu(di->i_xattr_inline_size);
+
+ /* Validate inline size is reasonable */
+ if (inline_size > inode->i_sb->s_blocksize ||
+ inline_size < sizeof(struct ocfs2_xattr_header)) {
+ ocfs2_error(inode->i_sb,
+ "Invalid xattr inline size %u in inode %llu\n",
+ inline_size,
+ (unsigned long long)OCFS2_I(inode)->ip_blkno);
+ return -EFSCORRUPTED;
+ }
+
header = (struct ocfs2_xattr_header *)
- ((void *)di + inode->i_sb->s_blocksize -
- le16_to_cpu(di->i_xattr_inline_size));
+ ((void *)di + inode->i_sb->s_blocksize - inline_size);
+
+ xattr_count = le16_to_cpu(header->xh_count);
+ max_entries = (inline_size - sizeof(struct ocfs2_xattr_header)) /
+ sizeof(struct ocfs2_xattr_entry);
+
+ if (xattr_count > max_entries) {
+ ocfs2_error(inode->i_sb,
+ "xattr entry count %u exceeds maximum %zu in inode %llu\n",
+ xattr_count, max_entries,
+ (unsigned long long)OCFS2_I(inode)->ip_blkno);
+ return -EFSCORRUPTED;
+ }
ret = ocfs2_xattr_list_entries(inode, header, buffer, buffer_size);
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread