From nobody Thu Dec 18 23:40:41 2025 Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3272A396DDA for ; Tue, 16 Dec 2025 12:40:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765888803; cv=none; b=U4eKQow9Vzv8T5gGpPDfuhg7kUcmmGkDZKB6OjC1iV0cpFrUukYS/PzeaWOBeq7xeTNa8E7s2yMdl21D7c3mOAgO/TDjWlE/4u3u8avjIB5emkavHJgkFHu920In8JRh1FJK+tQxFTHYw0d9PBvFNAqYrLnqvRuo+1+ZuXyY/AA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765888803; c=relaxed/simple; bh=+KKOTUcJ+YH7NkqkHTszL8KhwwaiCIPTpBFLvTcUgOw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=G0wZIArOliZ5budeJr8zEkDNvf2lXsBmUQ6vWydROsqO0RmgmnD1jjRK+V0bV942LFhNUDXsgOzK/KYtEd0vinEzdW/cLqCBUNiXpqhfwLFvgzMvPpGVE1aEdrX9RVvVqae38K/vOn/5JtEftn3Ihn+/x5G/4lAJTxXoxWHKpkc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ngymEgMG; arc=none smtp.client-ip=209.85.210.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ngymEgMG" Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-7b75e366866so1860376b3a.2 for ; Tue, 16 Dec 2025 04:40:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765888801; x=1766493601; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=94bYdVB1hl8L1OqlCa3ZFNJ0l6TA3STYv+6WFJaCFaQ=; b=ngymEgMGUXf8VFfGtKqE0oJ9/icinP0cUg8Cka/eCsnHtIyIb8M0xFJeUxsUl2tPGt TJJkC3CK/LCh0oY26u/QVyZfMZBnv2NNGBmRhsIODCWNsBMXnIwT9FD/JPxhBqRUp/n5 u20KXtI0yZclqtVZVnp9B4yxtwM4foFhTWUvGH+tAFzsYtFEZcW8qHI9xpBfahLOrKpj PFXKJaDPEUfLRO24bDfZvAQMAesn2kuiTxJIovpGDetEmTJr5n8QErmk5fbchdTY4oXn ME12PpsUSc7HYQ4UnD/u211zCMM9yM5F4VD1xr3XkeWfhAn0sceGWZkyyG2ErKsvJk5W d00Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765888801; x=1766493601; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=94bYdVB1hl8L1OqlCa3ZFNJ0l6TA3STYv+6WFJaCFaQ=; b=PgNtGSuF5S5f6Ys/bokaA6GWcxolVb4XV9gbqf0EQNO6G31UUWssNGI6ZnIziNOxNm d6xI8LArAVt9QsH8Jr3N1tq+OhCP4TgF8hZNCSPGc0Lt2HO/TrYV4y0S1NO0yIvYnJfk 7KLUgzHvGSzrPUr2rfMz+A+9iZwKbENfsFOi+NNKRsJsPBbWOPjMUEzW72Z4HNJ9lJka fGZUg43bIrrCplu3fJNGX8tJ/i5bUg+MWyiFXkcfCm1tNE+DS8PFLHUQ1NGTGE/dMxAM J/lS13mkED4DF74a8pvL5YpMQ8MCWEFuX2acASR7SPuQfk+JcxcD4xevimFsBuTg7TVT XJEA== X-Gm-Message-State: AOJu0YzN6wkxGPcwThovO2VEqOjseinXF89k4iK69F7k3ndQxvkkXDag 3OJD7aYpz+mx89a3GsMvBPMO6i2xE8LB5gJ3TylHSBae34uqgvGg3x4e X-Gm-Gg: AY/fxX5GLk/r+9rLmOhJj1gd+fF9Hrj02yXrVRiwZXNMEa/ivBC9IKINOnnOIja+xwL ZbvcmTDV9+xWTJ9zHh5s1qyx+/HzTDFBaO19BLIgpf8b9D8mpC/B3q7tYuXbOEb5diJcT0RGrX7 RbJ8+S18Q94V0AI5DIuzJ8/V9Fy4A2irLj5WGnCYMgdUSz/mH6lxU8kp3gyyVI0RQ2SLQ3Ct7K6 8ajBoz6+YZHD/0Hd8MO9dyb3vEUGPIcj83zHHHCH0NI7oE91CjnR+0tU1TPhH1rTovTd1edcWz2 AHTbiTJ9K3vzME33FzIODHd1N39461YvbToQDOahlQDPjsWtjA8/I07ONAYvPRS4UH7MrGsmrdW 4vFCeljmCBW6CRTy2POEaOaHBIAezHelOHhiht4GrE/4Oq/GTT8luceaaA95KoMBnizg7EbXjxU taU5s= X-Google-Smtp-Source: AGHT+IF2IMiXqfEiWIV2msJLDxtZPgeGJVbFcrhWZcSK5A/1IMenk/OHRFWQx4TyjXRPNLfoHntUCw== X-Received: by 2002:aa7:8806:0:b0:7f7:5c07:a867 with SMTP id d2e1a72fcca58-7f75c07a973mr7978914b3a.21.1765888801480; Tue, 16 Dec 2025 04:40:01 -0800 (PST) Received: from localhost ([2a12:a304:100::105b]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7f4c4aa91d0sm15366895b3a.32.2025.12.16.04.39.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Dec 2025 04:40:00 -0800 (PST) From: Jinchao Wang To: syzbot+f792df426ff0f5ceb8d1@syzkaller.appspotmail.com Cc: linux-kernel@vger.kernel.org, Jinchao Wang , stable@vger.kernel.org Subject: [PATCH] ext4: xattr: fix wrong search.here in clone_block Date: Tue, 16 Dec 2025 20:39:38 +0800 Message-ID: <20251216123945.391988-2-wangjinchao600@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" syzbot reported a KASAN out-of-bounds Read in ext4_xattr_set_entry()[1]. When xattr_find_entry() returns -ENODATA, search.here still points to the position after the last valid entry. ext4_xattr_block_set() clones the xattr block because the original block maybe shared and must not be modified in place. In the clone_block, search.here is recomputed unconditionally from the old offset, which may place it past search.first. This results in a negative reset size and an out-of-bounds memmove() in ext4_xattr_set_entry(). Fix this by initializing search.here correctly when search.not_found is set. #syz test [1] https://syzkaller.appspot.com/bug?extid=3Df792df426ff0f5ceb8d1 Fixes: fd48e9acdf2 (ext4: Unindent codeblock in ext4_xattr_block_set) Cc: stable@vger.kernel.org Reported-by: syzbot+f792df426ff0f5ceb8d1@syzkaller.appspotmail.com Signed-off-by: Jinchao Wang Tested-by: syzbot+f792df426ff0f5ceb8d1@syzkaller.appspotmail.com --- fs/ext4/xattr.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 2e02efbddaac..cc30abeb7f30 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -1980,7 +1980,10 @@ ext4_xattr_block_set(handle_t *handle, struct inode = *inode, goto cleanup; s->first =3D ENTRY(header(s->base)+1); header(s->base)->h_refcount =3D cpu_to_le32(1); - s->here =3D ENTRY(s->base + offset); + if (s->not_found) + s->here =3D s->first; + else + s->here =3D ENTRY(s->base + offset); s->end =3D s->base + bs->bh->b_size; =20 /* --=20 2.43.0