Re: [PATCH] ext4: prevent out-of-bounds read in ext4_read_inline_data()

Next message: Akhil R: "[PATCH v3 11/13] hwmon: spd5118: Remove 16-bit addressing"
Previous message: Herbert Xu: "Re: [PATCH] crypto: sun8i-ss - avoid hash and rng references"
In reply to: Jan Kara: "Re: [PATCH] ext4: prevent out-of-bounds read in ext4_read_inline_data()"
Next in thread: Jan Kara: "Re: [PATCH] ext4: prevent out-of-bounds read in ext4_read_inline_data()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Junjie Cao

Date: Thu Apr 23 2026 - 05:03:19 EST

Thanks for the review, Jan.

You're right that v1 failed to identify why the buffer changes. I dug
into the syzbot reproducer â?? the corruption path is:

1. Mount a crafted ext4 image on a loop device
2. Bind-mount the loop device, open + mmap it MAP_SHARED|PROT_WRITE
3. Write through the mapping â?? this overwrites the inline xattr
entry directly in the bdev page cache

The inode buffer_head stays uptodate throughout, so no re-validation
ever triggers â?? xattr_check_inode() at iget time is thorough but only
runs once, leaving subsequent in-place corruption of the page cache
undetected.

However, ext4_xattr_ibody_get() already guards against this with a
bounds check before its memcpy (xattr.c:674). ext4_read_inline_data()
lacks the same check because it indexes via the cached i_inline_off,
bypassing xattr_find_entry() entirely. I think aligning the two paths
is worthwhile, and it would also clear this syzbot report.

Would a v2 with this framing be acceptable to you?

Many thanksï¼?
Junjie