From d048862ceac9b9c16842270b023d92f33b159ace Mon Sep 17 00:00:00 2001 From: 0ne1r0s Date: Tue, 9 Dec 2025 18:42:12 +0800 Subject: [PATCH] This patch fixes a slab-use-after-free vulnerability in `ext4_find_extent()` that occurs when processing a corrupted filesystem image. When traversing the extent tree, the kernel previously failed to validate the root extent header before using it. If `eh_entries` exceeds `eh_max` in the root header, the binary search macros (like `EXT_LAST_EXTENT`) calculate pointers beyond the allocated extent block. This leads to out-of-bounds memory access and populates the `path` array with invalid data. Subsequently, when `ext4_free_ext_path()` cleans up this corrupted path, it dereferences invalid pointers, triggering a Use-After-Free. The fix adds a consistency check in `ext4_find_extent()` to validate the root extent header. It ensures that `eh_entries` does not exceed `eh_max` before proceeding with the binary search. If the check fails, the function reports an error via `EXT4_ERROR_INODE` and returns `-EFSCORRUPTED`, preventing the unsafe memory access. Signed-off-by: 0ne1r0s --- fs/ext4/extents.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 34e25eee6521..b09f664695f2 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -904,6 +904,9 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, goto err; } + ret = ext4_ext_check(inode, eh, depth, 0); + if (ret) goto err; + if (path) { ext4_ext_drop_refs(path); if (depth > path[0].p_maxdepth) { -- 2.51.0