Forwarded: [PATCH] ocfs2: validate xattr entry count in ocfs2_validate_xattr_block

[syzbot <syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ocfs2: validate xattr entry count in ocfs2_validate_xattr_block
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci


Add validation of xattr entry count when validating external xattr
blocks to catch corruption early before the block is used by the
system. This prevents corrupted xattr counts from causing out-of-bounds
access and use-after-free bugs when processing xattr entries.

The validation ensures that xh_count does not exceed the maximum number
of entries that can fit within the block. Without this check, a
corrupted filesystem image with an invalid xh_count can cause the code
to iterate beyond the allocated block boundary, potentially accessing
freed memory pages.

The check is added to ocfs2_validate_xattr_block() which is called when
reading xattr blocks from disk, providing protection for all code paths
that subsequently access the xattr entries. This follows the same
pattern as other validation checks in the function.

This patch complements the inline xattr validation added to
ocfs2_validate_inode_block(), providing comprehensive protection for
both inline and external xattr storage.

Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/ocfs2/xattr.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index d70a20d29e3e..3d21f2b9966e 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -470,7 +470,23 @@ static int ocfs2_validate_xattr_block(struct super_block *sb,
 	trace_ocfs2_validate_xattr_block((unsigned long long)bh->b_blocknr);
 
 	BUG_ON(!buffer_uptodate(bh));
-
+	if (!(le16_to_cpu(xb->xb_flags) & OCFS2_XATTR_INDEXED)) {
+		struct ocfs2_xattr_header *header = &xb->xb_attrs.xb_header;
+		u16 xattr_count;
+		size_t max_entries;
+
+		xattr_count = le16_to_cpu(header->xh_count);
+		max_entries = (sb->s_blocksize -
+			       offsetof(struct ocfs2_xattr_block, xb_attrs.xb_header) -
+			       sizeof(struct ocfs2_xattr_header)) /
+			       sizeof(struct ocfs2_xattr_entry);
+		if (xattr_count > max_entries) {
+			return ocfs2_error(sb,
+					   "Extended attribute block #%llu has invalid xattr count %u (max %zu)\n",
+					   (unsigned long long)bh->b_blocknr,
+					   xattr_count, max_entries);
+		}
+	}
 	/*
 	 * If the ecc fails, we return the error but otherwise
 	 * leave the filesystem running.  We know any error is
-- 
2.43.0