Re: [f2fs-dev] [PATCH] f2fs: bound i_inline_xattr_size for non-inline-xattr inodes

Tue, 16 Jun 2026 01:57:13 -0700 

On 6/12/26 12:00, Bryam Vargas via B4 Relay wrote:
> From: Bryam Vargas <[email protected]>
> 
> When the flexible_inline_xattr feature is enabled, do_read_inode() loads
> the on-disk i_inline_xattr_size unconditionally:
> 
>       if (f2fs_sb_has_flexible_inline_xattr(sbi))
>               fi->i_inline_xattr_size = le16_to_cpu(ri->i_inline_xattr_size);
> 
> but sanity_check_inode() only range-checks it when the inode also has the
> FI_INLINE_XATTR flag set.  An inode that carries an inline dentry or inline
> data but not FI_INLINE_XATTR -- the normal layout for an inline
> directory -- therefore keeps a fully attacker-controlled
> i_inline_xattr_size from a crafted image.
> 
> get_inline_xattr_addrs() returns that value with no flag gating, so it
> feeds the inode geometry:
> 
>       MAX_INLINE_DATA()  = 4 * (CUR_ADDRS_PER_INODE - i_inline_xattr_size - 1)
>       NR_INLINE_DENTRY() = MAX_INLINE_DATA() * BITS_PER_BYTE / (...)
>       addrs_per_page()   = CUR_ADDRS_PER_INODE - i_inline_xattr_size
> 
> A large i_inline_xattr_size drives MAX_INLINE_DATA() and NR_INLINE_DENTRY()
> negative, so make_dentry_ptr_inline() sets d->max (int) to a negative
> value.  The inline directory walk then compares an unsigned long bit_pos
> against that negative d->max, which is promoted to a huge unsigned bound,
> and reads far past the inline area:
> 
>       while (bit_pos < d->max)                /* fs/f2fs/dir.c */
>               ... test_bit_le(bit_pos, d->bitmap) / d->dentry[bit_pos] ...
> 
> Mounting a crafted image and reading such a directory triggers an
> out-of-bounds read in f2fs_fill_dentries(); the same underflow also
> corrupts ADDRS_PER_INODE for regular files.
> 
> Validate i_inline_xattr_size against MAX_INLINE_XATTR_SIZE whenever the
> flexible_inline_xattr feature is enabled -- i.e. whenever the value is
> loaded from disk and consumed -- and keep the lower MIN_INLINE_XATTR_SIZE
> bound gated on inodes that actually carry an inline xattr, so legitimate
> inodes with i_inline_xattr_size == 0 are still accepted.
> 
> Fixes: 6afc662e68b5 ("f2fs: support flexible inline xattr size")
> Cc: [email protected]
> Signed-off-by: Bryam Vargas <[email protected]>

Reviewed-by: Chao Yu <[email protected]>

Thanks,


_______________________________________________
Linux-f2fs-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Reply via email to