Re: [PATCH] ext4: validate readdir offset before accessing dirent
From: Jan Kara
Date: Fri Jul 03 2026 - 11:43:40 EST
On Fri 03-07-26 09:51:06, Yao Kai wrote:
> A corrupted directory can trigger the following KASAN report when
> ext4_readdir() resumes from an invalid position:
>
> BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x5ef/0x820
> Read of size 2 at addr ffff88810a646000 by task repro_linear/509
>
> Call Trace:
> <TASK>
> dump_stack_lvl+0x53/0x70
> print_report+0xd0/0x630
> kasan_report+0xce/0x100
> __ext4_check_dir_entry+0x5ef/0x820
> ext4_readdir+0xcde/0x2b70
> iterate_dir+0x1a1/0x520
> __x64_sys_getdents64+0x12b/0x220
> do_syscall_64+0xf9/0x540
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> </TASK>
>
> KASAN reports use-after-free because the out-of-bounds access lands in an
> adjacent freed page. The directory buffer itself is still referenced.
>
> ext4_dir_llseek() invalidates the directory cookie so that ext4_readdir()
> rescans directory entries from the start of the block. The rescan checks
> only the lower bound of rec_len before advancing. A corrupted rec_len can
> therefore place the offset where the block has insufficient space for a
> complete directory entry. The rescan itself may dereference that truncated
> entry, or the main loop may pass it to __ext4_check_dir_entry(). The latter
> reads de->rec_len before validating the range. For example:
>
> block offset 0 4092 4096
> |---- de1.rec_len = 4092 -----|----|
> de2.inode
> | de2.rec_len
> ^ OOB, reported as UAF
>
> de2 starts at offset 4092 in this 4 KiB block. Its four-byte inode fits in
> the block, but its rec_len starts at offset 4096 and crosses the boundary.
>
> The minimum safe length is inode-dependent. Encrypted and casefolded
> directory entries need eight additional hash bytes, while a valid metadata
> checksum tail is only 12 bytes.
>
> Cache the metadata checksum feature state and derive the minimum directory
> entry length from the on-disk format. Use it to bound both the rescan and
> the offset passed to the main loop. Report an offset in a truncated block
> tail and skip the remainder of the block, while continuing to accept an
> offset exactly at the block boundary.
>
> Reported-by: syzbot+5322c5c260eb44d209ed@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=5322c5c260eb44d209ed
> Fixes: ac27a0ec112a ("[PATCH] ext4: initial copy of files from ext3")
> Signed-off-by: Yao Kai <yaokai34@xxxxxxxxxx>
Just one nit below. Feel free to add:
Reviewed-by: Jan Kara <jack@xxxxxxx>
> @@ -257,6 +261,17 @@ static int ext4_readdir(struct file *file, struct dir_context *ctx)
> info->cookie = inode_query_iversion(inode);
> }
>
> + if (unlikely(offset < sb->s_blocksize &&
> + offset > sb->s_blocksize -
> + ext4_dir_rec_len(1, has_csum ? NULL : inode))) {
> + EXT4_ERROR_FILE(file, bh->b_blocknr,
> + "bad entry in directory: %s - offset=%u, size=%lu",
> + "directory entry too close to block end",
> + offset, sb->s_blocksize);
> + ctx->pos = (ctx->pos | (sb->s_blocksize - 1)) + 1;
^^^ this is round_up(ctx->pos, sb->s_blocksize)
> + goto next_block;
> + }
> +
> while (ctx->pos < inode->i_size
> && offset < sb->s_blocksize) {
> de = (struct ext4_dir_entry_2 *) (bh->b_data + offset);
Honza
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR