Re: [PATCH] ext4: add bounds check in ext4_xattr_ibody_get() to prevent out-of-bounds access

Next message: Mi, Dapeng: "Re: [Patch v7 4/4] perf regs: Enable dumping of SIMD registers"
Previous message: Chen-Yu Tsai: "Re: [PATCH v3 9/9] arm64: dts: mt6392: add mt6392 PMIC dtsi"
Next in thread: Deepanshu Kartikey: "Re: [PATCH] ext4: add bounds check in ext4_xattr_ibody_get() to prevent out-of-bounds access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Theodore Tso

Date: Thu Mar 26 2026 - 01:47:41 EST

On Wed, Feb 25, 2026 at 04:44:29AM +0530, Deepanshu Kartikey wrote:
> When mounting a corrupted ext4 filesystem, the inode's i_extra_isize
> can be set to a value that leaves insufficient space in the inode for
> the inline xattr header and entries. While ext4_iget() validates that
> i_extra_isize fits within the inode size, it does not account for the
> additional sizeof(ext4_xattr_ibody_header) needed by IHDR/IFIRST.

Actually, it does more than that. It also calls xattr_check_inode()
which should validate the xattr block in the inode.

So instead of adding the check in ext4_xattr_ibody_get(), we should
fix the check in __xattr_check_inode(). This is preferable since it's
more efficient than checking every time we try to fetch an extended
attribute, instead of validating it when the inode is read from the
inode table block.

- Ted