1. Patchew
  2. linux
  3. View series

[PATCH] ext4: validate extent entries before caching in ext4_find_extent()

Deepanshu Kartikey posted 1 patch 3 days, 10 hours ago 
fs/ext4/extents.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
[PATCH] ext4: validate extent entries before caching in ext4_find_extent()
Posted by Deepanshu Kartikey 3 days, 10 hours ago 
syzbot reported a BUG_ON in ext4_es_cache_extent() triggered when
opening a verity file on a corrupted ext4 filesystem mounted without
a journal.

The issue occurs when the extent tree contains out-of-order extents,
which can happen in a corrupted filesystem. ext4_find_extent() calls
ext4_cache_extents() without validating the extent entries when the
tree depth is 0 (leaf level). This allows corrupted extent trees with
out-of-order extents to be cached, triggering a BUG_ON in
ext4_es_cache_extent() due to integer underflow when calculating hole
sizes:

  If prev = 4352 and lblk = 1280:
  lblk - prev = 1280 - 4352 = -3072 (as signed)
  = 4294964224 (as unsigned)
  end = lblk + len - 1 = 4352 + 4294964224 - 1 = 1279 (after overflow)
  BUG_ON(end < lblk) triggers because 1279 < 4352

Fix this by adding extent entry validation using the existing
ext4_valid_extent_entries() function before caching. This ensures
corrupted extent trees are detected and handled properly through the
error path, preventing both the BUG_ON and potential use-after-free
issues.

Reported-and-tested-by: syzbot+038b7bf43423e132b308@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=038b7bf43423e132b308
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/ext4/extents.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index ca5499e9412b..f8e45623f7ea 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -924,8 +924,18 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
 	path[0].p_bh = NULL;
 
 	i = depth;
-	if (!(flags & EXT4_EX_NOCACHE) && depth == 0)
+	if (!(flags & EXT4_EX_NOCACHE) && depth == 0) {
+		ext4_fsblk_t pblk = 0;
+
+		if (!ext4_valid_extent_entries(inode, eh, 0, &pblk, 0)) {
+			EXT4_ERROR_INODE(inode,
+				"invalid extent entries, pblk %llu",
+				pblk);
+			ret = -EFSCORRUPTED;
+			goto err;
+		}
 		ext4_cache_extents(inode, eh);
+	}
 	/* walk through the tree */
 	while (i) {
 		ext_debug(inode, "depth %d: num %d, max %d\n",
-- 
2.43.0
Re: [PATCH] ext4: validate extent entries before caching in ext4_find_extent()
Posted by Zhang Yi 2 days, 18 hours ago 
Hi, Deepanshu!

On 9/28/2025 6:09 PM, Deepanshu Kartikey wrote:
> syzbot reported a BUG_ON in ext4_es_cache_extent() triggered when
> opening a verity file on a corrupted ext4 filesystem mounted without
> a journal.
> 
> The issue occurs when the extent tree contains out-of-order extents,
> which can happen in a corrupted filesystem. ext4_find_extent() calls
> ext4_cache_extents() without validating the extent entries when the
> tree depth is 0 (leaf level). This allows corrupted extent trees with
> out-of-order extents to be cached, triggering a BUG_ON in
> ext4_es_cache_extent() due to integer underflow when calculating hole
> sizes:
> 
>   If prev = 4352 and lblk = 1280:
>   lblk - prev = 1280 - 4352 = -3072 (as signed)
>   = 4294964224 (as unsigned)
>   end = lblk + len - 1 = 4352 + 4294964224 - 1 = 1279 (after overflow)
>   BUG_ON(end < lblk) triggers because 1279 < 4352
> 
> Fix this by adding extent entry validation using the existing
> ext4_valid_extent_entries() function before caching. This ensures
> corrupted extent trees are detected and handled properly through the
> error path, preventing both the BUG_ON and potential use-after-free
> issues.
> 

Thank you for the fix patch! However, I am curious why the check in
__ext4_iget()->ext4_ext_check_inode() fails? It should check the
extents of the root node and be able to caught this corruption.

Thanks,
Yi

> Reported-and-tested-by: syzbot+038b7bf43423e132b308@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=038b7bf43423e132b308
> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
> ---
>  fs/ext4/extents.c | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
> index ca5499e9412b..f8e45623f7ea 100644
> --- a/fs/ext4/extents.c
> +++ b/fs/ext4/extents.c
> @@ -924,8 +924,18 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
>  	path[0].p_bh = NULL;
>  
>  	i = depth;
> -	if (!(flags & EXT4_EX_NOCACHE) && depth == 0)
> +	if (!(flags & EXT4_EX_NOCACHE) && depth == 0) {
> +		ext4_fsblk_t pblk = 0;
> +
> +		if (!ext4_valid_extent_entries(inode, eh, 0, &pblk, 0)) {
> +			EXT4_ERROR_INODE(inode,
> +				"invalid extent entries, pblk %llu",
> +				pblk);
> +			ret = -EFSCORRUPTED;
> +			goto err;
> +		}
>  		ext4_cache_extents(inode, eh);
> +	}
>  	/* walk through the tree */
>  	while (i) {
>  		ext_debug(inode, "depth %d: num %d, max %d\n",

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.