From nobody Wed Dec 17 17:41:45 2025 Received: from mail-il1-f200.google.com (mail-il1-f200.google.com [209.85.166.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0F6F22C08A1 for ; Fri, 3 Oct 2025 02:02:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.166.200 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759456957; cv=none; b=VNmZnHP5AY7+zhjlPrsDbNqq9SzS7uClobaPCD7ygk8BeFb7AatQG3nAY75j1zFKgSq0WC1kq7rShMiEPUqFAHxATX7U3fF/l2w2yVNBYHpAgHoE2JTunYdGW5LEsmKUXl6g6NF8awERBBM5s7cVlNIKOKyfxAT5NVP6VhXGGBw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759456957; c=relaxed/simple; bh=DY2LpIw+buD76/TQi8/+FFrw7iGIpPfinV+MQ53jhno=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=N/tVp5T4WzBtyNakBz3Eqi7+OmjWYzm9X/N7trvU/cxDoR93D8NlSvZ6+3MzV2l0KSb48xOVWKNLFR7aWJIpcvmnUa9K3BoRGIhb1qMBcXycJPYHJ+/joBbZbUsHMvaag7OqqvkltzqbZD20v7JcePxfv4dDFejFnOrRZGZvOKs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.166.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-il1-f200.google.com with SMTP id e9e14a558f8ab-42e74499445so10985015ab.3 for ; Thu, 02 Oct 2025 19:02:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759456951; x=1760061751; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=V5vs9n9028GGJFsoBbT/p4gNDi1uzSRnj3Xc4sJwfKs=; b=ca7tliBD738SnDRZ0QBlfkSFtRXCm/C38kAoiHvvGVwSpkqwHkU4AWT5e0TRr14r1r 0N3qG4xpQAkxCKJbpza/rM2TxGdL2m/RslKst9nVbSwkD7kbdisn01i8NZ+p52DY0+H6 BEfOo4jTPhd299GYLQbWaCGU5ubhTRwABsCQHNHGy2pITWQtt+ymcbh/3dte2wGZQjQy CXPBKNUgZn3w2BY1inGoNwVnoahz3hPbAXFc7A/GOgYDb0EUD8UIcrsa5wbpn31rkMKs 4rAG6jjDwKTWNKVtZzMKBg91KH/HNKGP+a9mti4ukwEiuRi+ZndpAJN8mWYRLaRXTrIM VW8g== X-Gm-Message-State: AOJu0Yz36zA3pqcGTgLtTXT00Jth2zSoDdQCfgBaA+eZSnCtixcZrlq6 GVBwcFGUDSQI01DYuVSYuv1becMW585HYw2bE7DSpb9+Yjnejhh4cwGotDWy17fqFqzweptAZKk hzPkQuUbV8EoueUyObHcXu7PO3gpxIk0Tpv/Zwft8scczrVouw8cYXF9hwXM= X-Google-Smtp-Source: AGHT+IEnhN5ZXhen6/XFABzvH6fT2pQLHNer7jCTQfJVOMd3tkue7NR0WhYNIXLvJDa0ZrWzkWMqr3lbt+tt+/LGuZcWjJ7YYGx0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6e02:12e8:b0:42d:bb9d:5358 with SMTP id e9e14a558f8ab-42e7ada8fbcmr16029115ab.27.1759456951210; Thu, 02 Oct 2025 19:02:31 -0700 (PDT) Date: Thu, 02 Oct 2025 19:02:31 -0700 In-Reply-To: <68ddc2f9.a00a0220.102ee.006d.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <68df2eb7.050a0220.2c17c1.0010.GAE@google.com> Subject: Forwarded: [PATCH] ext4: reject inline data flag when i_extra_isize is zero From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: reject inline data flag when i_extra_isize is zero Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git= master Prevent use-after-free in ext4_search_dir by rejecting inodes that claim to have inline data but have no extra inode space allocated. ext4 inline data is stored in the extra inode space beyond the standard 128-byte inode structure. This requires i_extra_isize to be non-zero to provide space for the system.data xattr that stores the inline directory entries or file data. However, a corrupted filesystem can craft an inode with both: - i_extra_isize =3D=3D 0 (no extra space) - EXT4_INODE_INLINE_DATA flag set (claims to use extra space) This creates a fundamental inconsistency. When i_extra_isize is zero, ext4_iget() skips calling ext4_iget_extra_inode(), which means the inline xattr validation in check_xattrs() never runs. Later, when ext4_find_inline_entry() attempts to access the inline data, it reads unvalidated and potentially corrupt xattr structures, leading to out-of-bounds memory access and use-after-free. Fix this by validating in ext4_iget() that if an inode has the EXT4_INODE_INLINE_DATA flag set, i_extra_isize must be non-zero. This catches the corruption at inode load time before any inline data operations are attempted. Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D3ee481e21fd75e14c397 Signed-off-by: Deepanshu Kartikey --- fs/ext4/inode.c | 13 ++++++++++++- fs/ext4/xattr.c | 2 +- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 5b7a15db4953..257e9b1c6416 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -5099,7 +5099,8 @@ static inline int ext4_iget_extra_inode(struct inode = *inode, if (EXT4_INODE_HAS_XATTR_SPACE(inode) && *magic =3D=3D cpu_to_le32(EXT4_XATTR_MAGIC)) { int err; - + ext4_error_inode(inode, "ext4_iget_extra_inode", 5102, 0, + "wow this inode has extra space"); err =3D xattr_check_inode(inode, IHDR(inode, raw_inode), ITAIL(inode, raw_inode)); if (err) @@ -5112,6 +5113,7 @@ static inline int ext4_iget_extra_inode(struct inode = *inode, return err; } else EXT4_I(inode)->i_inline_off =3D 0; + return 0; } =20 @@ -5414,6 +5416,13 @@ struct inode *__ext4_iget(struct super_block *sb, un= signed long ino, ei->i_sync_tid =3D tid; ei->i_datasync_tid =3D tid; } + if (EXT4_INODE_SIZE(inode->i_sb) < EXT4_GOOD_OLD_INODE_SIZE) { + ext4_error_inode(inode, function, line, 0, + "wow! this inode has less data"); + if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA)) { + ext4_error_inode(inode, function, line, 0, "wow! this inode is line"); + } + } =20 if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { if (ei->i_extra_isize =3D=3D 0) { @@ -5422,6 +5431,8 @@ struct inode *__ext4_iget(struct super_block *sb, uns= igned long ino, ei->i_extra_isize =3D sizeof(struct ext4_inode) - EXT4_GOOD_OLD_INODE_SIZE; } else { + ext4_error_inode(inode, function, line, 0, + "wow! this inode has reached ext4 iget"); ret =3D ext4_iget_extra_inode(inode, raw_inode, ei); if (ret) goto bad_inode; diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 5a6fe1513fd2..9b4a6978b313 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -195,7 +195,7 @@ check_xattrs(struct inode *inode, struct buffer_head *b= h, struct ext4_xattr_entry *e =3D entry; int err =3D -EFSCORRUPTED; char *err_str; - + ext4_error_inode(inode, "check_xattrs", 198, 0, "wow! we are in check_xat= trs"); if (bh) { if (BHDR(bh)->h_magic !=3D cpu_to_le32(EXT4_XATTR_MAGIC) || BHDR(bh)->h_blocks !=3D cpu_to_le32(1)) { --=20 2.43.0