From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ot1-f71.google.com (mail-ot1-f71.google.com [209.85.210.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 111E636828B for ; Tue, 24 Feb 2026 08:52:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.71 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771923146; cv=none; b=aQNe6maj6QmgFdRhipr2ZPLQz3+aifSxuiF2uiNqWrWriDSCDM4j4X2re+cAswxNTS11eLTjS9DNm8WUVXZPi/+VsYvLps9a7u+vzJdEOO5xtwyNCjPRc2jIrVKKeBj5i5BaM85I0duBjbS+wo9wiiYBiV7ullxGQWlkuPdSqWY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771923146; c=relaxed/simple; bh=GvX1IHmGF5M+yM+KeMLFoSUDOuwWdzONCupE/JU0ETY=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=KL6LDAv8tnNqyUftwJEazKgpuSQ6tNIoUedxP0k/f4b1p/qmaeA/bjPdjICUdBmIOqPl2QdTTfW7Yo0S7TCb/4zoRktN33+oowItKhnUQUs7/HMvLzPO5pQvJNEK8FV4oqUWyh9aXXI63Q15Srm5BDslmsp5taOz7+sePhUTaOU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.210.71 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-ot1-f71.google.com with SMTP id 46e09a7af769-7d4c1b2651fso21519983a34.3 for ; Tue, 24 Feb 2026 00:52:24 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771923144; x=1772527944; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=WYv+aYuijCgIZHZwpsNc/oeqzdFRoEsW4a7h4mt0FbI=; b=Mf9LNRgLsc72aN8w5m4vvu7vXQ6hcq1UBsATzvUbw3NCVg3LUsIDZAB3ZZxzx0Zks1 coG8FuyJmb0hIQg6c6xEdYc2uo7T0RgtVT1Ksmh1KkWqGTRbbw1bwTwkah1sO0jl4kzo 5VsfC8peV1MNX7npRKZNwjJP3Ww+Wx4DMDFMKFn1smijvDI0xgfRNbFSVGycSvNUZ0IH sFkKOCeGDk5qua+xw9r46v2RDPhye0Ed3mswwZAEWE8q1Ca4tispZZx3wdDapRhg9olC JH4QJi9K2QAm5ivUIFVJwim6dNQYXUPcuDsyvz4lz4KfPpf38vT+TMmpLYF1nHc+PYm+ EXQQ== X-Gm-Message-State: AOJu0YzidB2ojWC2XccGuioNYyQbBzCDw+54L+oEX0z7icAnrdsL36uh w9W3S4+g0H8pec0AV5h8iK0wSXOZ9vSph5Lt5eA0bByICFvhDgT9jCnpMS8tfLa4sxtSnxcWp6+ D8zbIBkhkslkF9Orz2TmyVxzy0DocNiv6BkRxe+xJY05AZGXdOHiTTS4QyEA= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:2013:b0:662:e066:73a1 with SMTP id 006d021491bc7-679c44f14b3mr5921748eaf.57.1771923144028; Tue, 24 Feb 2026 00:52:24 -0800 (PST) Date: Tue, 24 Feb 2026 00:52:24 -0800 In-Reply-To: <699b9b6f.a70a0220.2c38d7.0189.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <699d66c8.050a0220.247d23.03d3.GAE@google.com> Subject: Forwarded: [PATCH] ext4: add bounds check in xattr_find_entry() to prevent use-after-free From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: add bounds check in xattr_find_entry() to prevent use-after-free Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master xattr_find_entry() receives an 'end' pointer to mark the boundary of the valid xattr region but never uses it to validate entries during iteration. The IS_LAST_ENTRY() macro dereferences the entry pointer by casting it to __u32 and reading 4 bytes, without first verifying that the entry falls within bounds. On a corrupted filesystem, inline xattr entries in the inode body can have a bogus e_name_len field. EXT4_XATTR_NEXT() uses e_name_len to compute the next entry offset, which can jump past the valid xattr region into freed memory. The subsequent IS_LAST_ENTRY() call on this out-of-bounds pointer triggers a use-after-free read. Fix this by: 1. Checking that the entry pointer is within bounds before each IS_LAST_ENTRY() dereference in the loop condition. 2. Validating that the next entry computed via EXT4_XATTR_NEXT() also falls within bounds before advancing the loop. Return -EFSCORRUPTED if entries overrun the valid xattr region. Reported-by: syzbot+fb32afec111a7d61b939@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=fb32afec111a7d61b939 Signed-off-by: Deepanshu Kartikey --- fs/ext4/xattr.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 7bf9ba19a89d..f38eef93e3f8 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -333,6 +333,12 @@ xattr_find_entry(struct inode *inode, struct ext4_xattr_entry **pentry, name_len = strlen(name); for (entry = *pentry; !IS_LAST_ENTRY(entry); entry = next) { next = EXT4_XATTR_NEXT(entry); + if ((void *)next + sizeof(__u32) > end) { + EXT4_ERROR_INODE(inode, "corrupted xattr entry: e_name_len=%u", + entry->e_name_len); + return -EFSCORRUPTED; + } + if ((void *) next >= end) { EXT4_ERROR_INODE(inode, "corrupted xattr entries"); return -EFSCORRUPTED; @@ -652,6 +658,13 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name, header = IHDR(inode, raw_inode); end = ITAIL(inode, raw_inode); entry = IFIRST(header); + + if ((void *)entry + sizeof(__u32) > end) { + EXT4_ERROR_INODE(inode, "inline xattr region overflow"); + error = -EFSCORRUPTED; + goto cleanup; + } + error = xattr_find_entry(inode, &entry, end, name_index, name, 0); if (error) goto cleanup; -- 2.34.1