Forwarded: [PATCH] ext4: add bounds check in xattr_find_entry() to prevent use-after-free

[syzbot <syzbot+fb32afec111a7d61b939@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ext4: add bounds check in xattr_find_entry() to prevent use-after-free
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


xattr_find_entry() receives an 'end' pointer to mark the boundary of
the valid xattr region, but never uses it to validate entries during
iteration. The IS_LAST_ENTRY() check dereferences the entry pointer
(reading 4 bytes) without first verifying that the entry is within
bounds. On a corrupted filesystem, this allows the loop to walk past
the valid buffer into freed memory, triggering a use-after-free.

This is observed when mounting a crafted ext4 image where inline xattr
entries in the inode body are corrupted. During path lookup, the ACL
permission check calls ext4_get_acl() -> ext4_xattr_ibody_get() ->
xattr_find_entry(), which iterates over the corrupted inline xattr
entries and reads from a freed page.

Fix this by adding a bounds check against 'end' before each entry
is accessed in the iteration loop, and validating that the next entry
also falls within bounds. Return -EFSCORRUPTED if the xattr entries
overrun the valid region.

Reported-by: syzbot+fb32afec111a7d61b939@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fb32afec111a7d61b939
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/ext4/xattr.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 7bf9ba19a89d..5080ec44228a 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -652,6 +652,13 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
 	header = IHDR(inode, raw_inode);
 	end = ITAIL(inode, raw_inode);
 	entry = IFIRST(header);
+
+	if ((void *)entry + sizeof(__u32) > end) {
+		EXT4_ERROR_INODE(inode, "inline xattr region overflow");
+		error = -EFSCORRUPTED;
+		goto cleanup;
+	}
+
 	error = xattr_find_entry(inode, &entry, end, name_index, name, 0);
 	if (error)
 		goto cleanup;
-- 
2.34.1