[BUG] KASAN: out-of-bounds read in ext4_xattr_set_entry triggered by lsetxattr

[Zw Tang]

Hi,

I am reporting a KASAN out-of-bounds read issue triggered by a syzkaller
reproducer on Linux 7.0.0-rc3.

The reproducer mounts a crafted ext4 image and then calls lsetxattr() with
"system.posix_acl_access". The first crash is a KASAN report in
ext4_xattr_set_entry(), coming from __asan_memmove() while ext4 is handling
the ACL update and expanding inode extra isize.

This looks like an invalid size / boundary computation in the in-inode xattr
update path, likely during rearrangement of xattr entries or values in
ext4_xattr_set_entry(). The reported read size is 18446744073709551604,
which suggests a possible integer underflow being passed down to memmove().

Reproducer:
C reproducer: pastebin.com/raw/amERrUV4
console output:pastebin.com/raw/UgESgjBw
kernel config: pastebin.com/raw/FdALgYkg

Kernel:
HEAD commit:1f318b96cc84d7c2ab792fcc0bfd42a7ca890681
git tree: torvalds/linux
kernel version: 7.0.0-rc3 #1 PREEMPT(full) (QEMU Standard PC (Q35 + ICH9, 2009))

Crash log:
[ 83.052095] BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x1343/0x1ce0
[ 83.054679] Read of size 18446744073709551604 at addr
ffff8880109065d8 by task repro/244
[ 83.058624] CPU: 1 UID: 0 PID: 244 Comm: repro Not tainted 7.0.0-rc3
#1 PREEMPT(full)
[ 83.059041] __asan_memmove+0x24/0x60
[ 83.059067] ext4_xattr_set_entry+0x1343/0x1ce0
[ 83.059194] ext4_xattr_ibody_set+0x3dd/0x5e0
[ 83.059237] ext4_expand_extra_isize_ea+0xa9c/0x1850
[ 83.059481] __ext4_expand_extra_isize+0x341/0x480
[ 83.059511] __ext4_mark_inode_dirty+0x5d1/0x790
[ 83.059765] ext4_set_acl+0x396/0x580
[ 83.060113] set_posix_acl+0x25d/0x320
[ 83.060189] vfs_set_acl+0x405/0xa20
[ 83.060227] do_set_acl+0x80/0x130
[ 83.060264] do_setxattr+0xdb/0x1d0
[ 83.060384] filename_setxattr+0x149/0x1b0
[ 83.060520] path_setxattrat+0x1c8/0x2a0
[ 83.060875] __x64_sys_lsetxattr+0xc9/0x140


Thanks.
Zw Tang