From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-il1-f200.google.com (mail-il1-f200.google.com [209.85.166.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B0CE03164BD for ; Mon, 17 Nov 2025 09:17:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.166.200 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763371047; cv=none; b=R95aKLRkbupateM7hCeLHSDnMLlypk7MifBO5U/sQs3VKG+XrwLzwH/8DPpgdADOrX3VgPRYGz7vx61rlIiFzpbbqcyaaG8F63/j2Z/usImcStKI1gQToZ6fDrWjuPgAX1EYu8QrUWVgjg/PBys/rYC02ORLVy+CFv8XidJajT0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763371047; c=relaxed/simple; bh=tjzkFXHKGUI1pxbb/D/e72UaQHkxZvnygbjVK2GMVi4=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=Zb/O+pg/o4kfzT1tHr2VN9ES6Vi6VNtJvHZNhm+NAFQh19rL6S+Sbpeyg+XW2Wvr8IeGypi8DoGlXz7ZRpSTcS4O53RyxgON94ObVJK7ZjS6W8jRBx58tYK8469v7SkBwsI5SvBf4qdjYi2c6cEPK5s6aGcCoZocg4y/8ntc4EY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.166.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-il1-f200.google.com with SMTP id e9e14a558f8ab-43335646758so39389165ab.3 for ; Mon, 17 Nov 2025 01:17:25 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763371045; x=1763975845; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=b2YPsVmAHBQFZ6qBb7t9zGjETl5oEZfCRJIEDP9jcwE=; b=HrMs1APT3Hz8ZAFkg+YYKJFs1kuTmOvJZtqO0wFihabaDeGQ7qZoZ32qM3PE9/k6do wJl7caK+PcrxW3F/hUV1PejNkVTyQLpypTMq+X222dbxFqBJZMjRKMTN+9r1gPCntmL1 eHyb1Y+3xA2+Ffrqfnwc0g3gQX+FTQaCCuiPLkpc78t5WmT7LNsPemDNHqR6kpJXw4kw xZkya4zadTouUeuyJzZ5FX32gNSaitqnBXfUlDS7nI4ikhZRmOn3OvAA/zK5yj3CqRYf R2p8E7+jPzPBv4moZgCCN3UE5GYKmnJpmJ71RUTH1EsaJxPNwaX8OAjIRyin1J3jJhXY eQCA== X-Gm-Message-State: AOJu0YxXsLbmiCXn1iLn4nN6wsZTt4tzJVGllgmfLbcBDyyRcguVBflS JKkepT7hU900xl8NwEoIPwJsk4b5afMswa2EXG8Xj82KPyTTKBMyfIKsnToGD6JaTzMtcTfo6W6 Vna0fv1WF7BPKYLO8dhydDxtjppdjhrTJZxSnXaxOsbT+lav4HU2/qGYOMkM= X-Google-Smtp-Source: AGHT+IH0QUP2fi/GwcgCcqSCpSHRrcV6givebX4Kd6+LdkoFShH7yqUL0QX+YfIX/jPD7s9ayz0vobyHNwA1v3jvPtTsC3m/SRYG Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6e02:12c5:b0:433:7a2f:a414 with SMTP id e9e14a558f8ab-4348c94e1cdmr149209025ab.25.1763371044899; Mon, 17 Nov 2025 01:17:24 -0800 (PST) Date: Mon, 17 Nov 2025 01:17:24 -0800 In-Reply-To: <69122a59.a70a0220.22f260.00fc.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <691ae824.a70a0220.f6df1.000a.GAE@google.com> Subject: Forwarded: [PATCH v3] ocfs2: validate xattr entry count in ocfs2_xattr_ibody_list From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH v3] ocfs2: validate xattr entry count in ocfs2_xattr_ibody_list Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci Add validation of inline xattr size and entry count in ocfs2_xattr_ibody_list() to prevent out-of-bounds access and use-after-free bugs when processing corrupted inline xattrs. The validation performs two checks: 1. Validates i_xattr_inline_size is within reasonable bounds (not larger than block size and at least large enough for the xattr header) 2. Validates xattr entry count does not exceed the maximum that can fit in the inline xattr space Without these checks, a corrupted filesystem with invalid inline xattr size or entry count can cause the code to access memory beyond the allocated space, potentially reaching freed memory pages and triggering KASAN use-after-free detection. This fix addresses the syzbot-reported bug by validating inline xattr metadata before use, using the correct inline size calculation rather than block size. Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9 Link: https://lore.kernel.org/all/20251111073831.2027072-1-kartikey406@gmail.com/ [v1] Link: https://lore.kernel.org/all/20251117063217.5690-1-kartikey406@gmail.com/T/ [v2] Signed-off-by: Deepanshu Kartikey --- Changes in v3: - Moved validation from ocfs2_xattr_list_entries() to ocfs2_xattr_ibody_list() to use correct inline size calculation (suggested by Heming Zhao) - Added validation of i_xattr_inline_size before use - Changed return value to -EFSCORRUPTED for consistency --- fs/ocfs2/xattr.c | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index d70a20d29e3e..98fd4f3f2d2d 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -971,13 +971,39 @@ static int ocfs2_xattr_ibody_list(struct inode *inode, struct ocfs2_xattr_header *header = NULL; struct ocfs2_inode_info *oi = OCFS2_I(inode); int ret = 0; + u16 xattr_count; + size_t max_entries; + u16 inline_size; if (!(oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) return ret; + inline_size = le16_to_cpu(di->i_xattr_inline_size); + + /* Validate inline size is reasonable */ + if (inline_size > inode->i_sb->s_blocksize || + inline_size < sizeof(struct ocfs2_xattr_header)) { + ocfs2_error(inode->i_sb, + "Invalid xattr inline size %u in inode %llu\n", + inline_size, + (unsigned long long)OCFS2_I(inode)->ip_blkno); + return -EFSCORRUPTED; + } + header = (struct ocfs2_xattr_header *) - ((void *)di + inode->i_sb->s_blocksize - - le16_to_cpu(di->i_xattr_inline_size)); + ((void *)di + inode->i_sb->s_blocksize - inline_size); + + xattr_count = le16_to_cpu(header->xh_count); + max_entries = (inline_size - sizeof(struct ocfs2_xattr_header)) / + sizeof(struct ocfs2_xattr_entry); + + if (xattr_count > max_entries) { + ocfs2_error(inode->i_sb, + "xattr entry count %u exceeds maximum %zu in inode %llu\n", + xattr_count, max_entries, + (unsigned long long)OCFS2_I(inode)->ip_blkno); + return -EFSCORRUPTED; + } ret = ocfs2_xattr_list_entries(inode, header, buffer, buffer_size); -- 2.43.0