syzbot reported use-after-free in ext4_find_extent() [1]. If there is a corrupted file system, this can cause invalid memory access. This patch fixes the issue by verifying extent header. Reported-by: syzbot+bf4bb7731ef73b83a3b4@xxxxxxxxxxxxxxxxxxxxxxxxx Link: https://syzkaller.appspot.com/bug?id=cd95cb722bfa1234ac4c78345c8953ee2e7170d0 [1] Signed-off-by: Shigeru Yoshida <syoshida@xxxxxxxxxx> --- fs/ext4/extents.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 9de1c9d1a13d..79bfa583ab1d 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -901,6 +901,9 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, ret = -EFSCORRUPTED; goto err; } + ret = ext4_ext_check(inode, eh, depth, 0); + if (ret) + goto err; if (path) { ext4_ext_drop_refs(path); -- 2.38.1
