[v1] Forwarded: [PATCH] ext4: add bounds check in xattr_find_entry() to prevent use-after-free

Forwarded: [PATCH] ext4: add bounds check in xattr_find_entry() to prevent use-after-free
Posted by syzbot 1 month, 3 weeks ago
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ext4: add bounds check in xattr_find_entry() to prevent use-after-free
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master



xattr_find_entry() receives an 'end' pointer to mark the boundary of
the valid xattr region but never uses it to validate entries during
iteration. The IS_LAST_ENTRY() macro dereferences the entry pointer
by casting it to __u32 and reading 4 bytes, without first verifying
that the entry falls within bounds.

On a corrupted filesystem, inline xattr entries in the inode body can
have a bogus e_name_len field. EXT4_XATTR_NEXT() uses e_name_len to
compute the next entry offset, which can jump past the valid xattr
region into freed memory. The subsequent IS_LAST_ENTRY() call on this
out-of-bounds pointer triggers a use-after-free read.

Fix this by:
1. Checking that the entry pointer is within bounds before each
   IS_LAST_ENTRY() dereference in the loop condition.
2. Validating that the next entry computed via EXT4_XATTR_NEXT()
   also falls within bounds before advancing the loop.

Return -EFSCORRUPTED if entries overrun the valid xattr region.

Reported-by: syzbot+fb32afec111a7d61b939@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fb32afec111a7d61b939
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/ext4/xattr.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 7bf9ba19a89d..f38eef93e3f8 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -333,6 +333,12 @@ xattr_find_entry(struct inode *inode, struct ext4_xattr_entry **pentry,
 	name_len = strlen(name);
 	for (entry = *pentry; !IS_LAST_ENTRY(entry); entry = next) {
 		next = EXT4_XATTR_NEXT(entry);
+		if ((void *)next + sizeof(__u32) > end) {
+			EXT4_ERROR_INODE(inode, "corrupted xattr entry: e_name_len=%u",
+			                  entry->e_name_len);
+			return -EFSCORRUPTED;
+		}
+
 		if ((void *) next >= end) {
 			EXT4_ERROR_INODE(inode, "corrupted xattr entries");
 			return -EFSCORRUPTED;
@@ -652,6 +658,13 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
 	header = IHDR(inode, raw_inode);
 	end = ITAIL(inode, raw_inode);
 	entry = IFIRST(header);
+
+	if ((void *)entry + sizeof(__u32) > end) {
+		EXT4_ERROR_INODE(inode, "inline xattr region overflow");
+		error = -EFSCORRUPTED;
+		goto cleanup;
+	}
+
 	error = xattr_find_entry(inode, &entry, end, name_index, name, 0);
 	if (error)
 		goto cleanup;
-- 
2.34.1