Forwarded: [PATCH] ocfs2: validate xattr entry count to prevent use-after-free

Posted by syzbot 2 months, 4 weeks ago
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ocfs2: validate xattr entry count to prevent use-after-free
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci

The ocfs2_xattr_list_entries() function does not validate the
xh_count field read from the on-disk xattr header. When processing
a corrupted filesystem image, an invalid xh_count value causes the
loop to iterate beyond the bounds of the allocated block. This leads
to out-of-bounds memory access, potentially reaching freed pages and
triggering use-after-free bugs detected by KASAN.

The issue occurs because:
1. xh_count is read directly from disk without validation
2. The loop uses this value to access header->xh_entries[i]
3. When xh_count exceeds the block capacity, entry pointers extend
   beyond the allocated memory
4. Accessing these out-of-bounds pointers can reach freed memory

Fix this by validating that xh_count does not exceed the maximum
number of entries that can fit within the block before accessing
the entries array. Calculate the maximum as:
  (block_size - header_size) / entry_size

If validation fails, log an error and return -EUCLEAN to indicate
filesystem corruption.

Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/ocfs2/xattr.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index d70a20d29e3e..db352df00101 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -928,8 +928,20 @@ static int ocfs2_xattr_list_entries(struct inode *inode,
 	size_t result = 0;
 	int i, type, ret;
 	const char *name;
-
-	for (i = 0 ; i < le16_to_cpu(header->xh_count); i++) {
+	u16 count;
+	size_t max_entries;
+	struct super_block *sb = inode->i_sb;
+	count = le16_to_cpu(header->xh_count);
+	max_entries = (sb->s_blocksize - sizeof(struct ocfs2_xattr_header)) /
+			sizeof(struct ocfs2_xattr_entry);
+	if (count > max_entries) {
+		mlog(ML_ERROR,
+			"xattr entry count %u exceeds maximum %zu in inode %llu\n",
+			count, max_entries,
+			(unsigned long long)OCFS2_I(inode)->ip_blkno);
+		return -EUCLEAN;
+	}
+	for (i = 0 ; i < count; i++) {
 		struct ocfs2_xattr_entry *entry = &header->xh_entries[i];
 		type = ocfs2_xattr_get_type(entry);
 		name = (const char *)header +
-- 
2.43.0