This is a note to let you know that I've just added the patch titled
ext4: add bounds checking in get_max_inline_xattr_value_size()
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 2220eaf90992c11d888fe771055d4de330385f01 Mon Sep 17 00:00:00 2001
From: Theodore Ts'o <tytso@xxxxxxx>
Date: Fri, 12 May 2023 15:11:02 -0400
Subject: ext4: add bounds checking in get_max_inline_xattr_value_size()
From: Theodore Ts'o <tytso@xxxxxxx>
commit 2220eaf90992c11d888fe771055d4de330385f01 upstream.
Normally the extended attributes in the inode body would have been
checked when the inode is first opened, but if someone is writing to
the block device while the file system is mounted, it's possible for
the inode table to get corrupted. Add bounds checking to avoid
reading beyond the end of allocated memory if this happens.
Reported-by: syzbot+1966db24521e5f6e23f7@xxxxxxxxxxxxxxxxxxxxxxxxx
Link: https://syzkaller.appspot.com/bug?extid=1966db24521e5f6e23f7
Cc: stable@xxxxxxxxxx
Signed-off-by: Theodore Ts'o <tytso@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/ext4/inline.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -32,6 +32,7 @@ static int get_max_inline_xattr_value_si
struct ext4_xattr_ibody_header *header;
struct ext4_xattr_entry *entry;
struct ext4_inode *raw_inode;
+ void *end;
int free, min_offs;
if (!EXT4_INODE_HAS_XATTR_SPACE(inode))
@@ -55,14 +56,23 @@ static int get_max_inline_xattr_value_si
raw_inode = ext4_raw_inode(iloc);
header = IHDR(inode, raw_inode);
entry = IFIRST(header);
+ end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
/* Compute min_offs. */
- for (; !IS_LAST_ENTRY(entry); entry = EXT4_XATTR_NEXT(entry)) {
+ while (!IS_LAST_ENTRY(entry)) {
+ void *next = EXT4_XATTR_NEXT(entry);
+
+ if (next >= end) {
+ EXT4_ERROR_INODE(inode,
+ "corrupt xattr in inline inode");
+ return 0;
+ }
if (!entry->e_value_inum && entry->e_value_size) {
size_t offs = le16_to_cpu(entry->e_value_offs);
if (offs < min_offs)
min_offs = offs;
}
+ entry = next;
}
free = min_offs -
((void *)entry - (void *)IFIRST(header)) - sizeof(__u32);
Patches currently in stable-queue which might be from tytso@xxxxxxx are
queue-5.10/ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch
queue-5.10/ext4-fix-use-after-free-read-in-ext4_find_extent-for.patch
queue-5.10/ext4-fix-warning-in-mb_find_extent.patch
queue-5.10/ext4-fix-deadlock-when-converting-an-inline-directory-in-nojournal-mode.patch
queue-5.10/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch
queue-5.10/jdb2-don-t-refuse-invalidation-of-already-invalidate.patch
queue-5.10/ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch
queue-5.10/ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch
queue-5.10/ext4-check-iomap-type-only-if-ext4_iomap_begin-does-not-fail.patch
queue-5.10/ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch
queue-5.10/ext4-use-ext4_journal_start-stop-for-fast-commit-transactions.patch
queue-5.10/ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch
queue-5.10/ext4-fix-data-races-when-using-cached-status-extents.patch
