[PATCH] ext4: Fix extent boundary validation in extent tree
4 views
Skip to first unread message
Deepanshu Kartikey
Sep 28, 2025, 1:23:40 PM (2 days ago) Sep 28
to syzbot+038b7b...@syzkaller.appspotmail.com, Deepanshu Kartikey, syzkaller
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
This patch addresses a vulnerability in EXT4 extent tree validation
where logically impossible extent entries could be created. The fix
prevents extent entries with an end block less than the start block.
Key changes:
- Add boundary checks to validate extent entries
- Prevent creation of extents with invalid block ranges
- Improve extent tree integrity checks
The bug was discovered via syzkaller, which generated a test case
exposing this boundary condition vulnerability during filesystem
metadata parsing.
Fixes: https://syzkaller.appspot.com/bug?extid=038b7bf43423e132b308
Reported-by: syzkaller <syzk...@googlegroups.com>
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/ext4/extents.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index ca5499e9412b..987a07a8554e 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -418,6 +418,10 @@ static int ext4_valid_extent_entries(struct inode *inode,
/* Check for overlapping extents */
lblock = le32_to_cpu(ext->ee_block);
+ ext4_lblk_t len = ext4_ext_get_actual_len(ext);
+ ext4_lblk_t end = lblock + len - 1;
+ if (end < lblock)
+ return 0;
if (lblock < cur) {
*pblk = ext4_ext_pblock(ext);
return 0;
--
2.43.0
This patch addresses a vulnerability in EXT4 extent tree validation
where logically impossible extent entries could be created. The fix
prevents extent entries with an end block less than the start block.
Key changes:
- Add boundary checks to validate extent entries
- Prevent creation of extents with invalid block ranges
- Improve extent tree integrity checks
The bug was discovered via syzkaller, which generated a test case
exposing this boundary condition vulnerability during filesystem
metadata parsing.
Fixes: https://syzkaller.appspot.com/bug?extid=038b7bf43423e132b308
Reported-by: syzkaller <syzk...@googlegroups.com>
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/ext4/extents.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index ca5499e9412b..987a07a8554e 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -418,6 +418,10 @@ static int ext4_valid_extent_entries(struct inode *inode,
/* Check for overlapping extents */
lblock = le32_to_cpu(ext->ee_block);
+ ext4_lblk_t len = ext4_ext_get_actual_len(ext);
+ ext4_lblk_t end = lblock + len - 1;
+ if (end < lblock)
+ return 0;
if (lblock < cur) {
*pblk = ext4_ext_pblock(ext);
return 0;
--
2.43.0
Reply all
Reply to author
Forward
0 new messages