[PATCH 0/5] fs: ext4: protection against corrupted filesystems

[PATCH 0/5] fs: ext4: protection against corrupted filesystems

[Sascha Hauer]

This series contains fixes against corrupted filesystems leading to
buffer overflows or division-by-zero. All patches have been tested to be
effective with manipulated fs images.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
Sascha Hauer (5):
      fs: ext4: validate log2_block_size from superblock at mount
      fs: ext4: reject superblocks with zero inodesz, gdsize or inodes_per_group
      fs: ext4: fix OOB read and infinite loop in ext_iterate()
      fs: ext4: reject dirents with too-small direntlen to prevent infinite loops
      fs: ext4: validate extent eh_entries against buffer capacity

 fs/ext4/ext4_common.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 fs/ext4/ext_barebox.c | 13 ++++++++++---
 2 files changed, 61 insertions(+), 3 deletions(-)
---
base-commit: 0933e8f2ebf0d91dfcf177a4e4292b02921a53f1
change-id: 20260402-fs-ext4-buffer-overflows-b26d5463cb7c

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>

[PATCH 1/5] fs: ext4: validate log2_block_size from superblock at mount

[Sascha Hauer]

The superblock's log2_block_size field is read from disk and used
throughout the ext4 code without validation. EXT2_BLOCK_SIZE() computes
1 << (log2_block_size + 10), so a crafted value of 22 or larger causes
undefined behavior from shifting an int by >= 32 bits.

This leads to wrong allocation sizes for indirect block buffers and
enables downstream buffer overflows in every function that reads
block-sized data.

Validate that log2_block_size does not exceed the maximum defined by
EXT2_MAX_BLOCK_LOG_SIZE (65536 byte blocks) at mount time, rejecting
the filesystem early if it does.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 fs/ext4/ext4_common.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c
index a38593105f..094293a069 100644
--- a/fs/ext4/ext4_common.c
+++ b/fs/ext4/ext4_common.c
@@ -514,6 +514,14 @@ int ext4fs_mount(struct ext_filesystem *fs)
 		goto fail;
 	}
 
+	if (le32_to_cpu(data->sblock.log2_block_size) >
+	    EXT2_MAX_BLOCK_LOG_SIZE - EXT2_MIN_BLOCK_LOG_SIZE) {
+		dev_err(fs->dev, "invalid block size %u\n",
+			le32_to_cpu(data->sblock.log2_block_size));
+		ret = -EINVAL;
+		goto fail;
+	}
+
 	if (le32_to_cpu(data->sblock.revision_level) == 0) {
 		fs->inodesz = 128;
 		fs->gdsize = 32;

-- 
2.47.3

[PATCH 2/5] fs: ext4: reject superblocks with zero inodesz, gdsize or inodes_per_group

[Sascha Hauer]

The superblock fields inode_size, descriptor_size, and inodes_per_group
are read from disk and used as divisors without validation:

  - inodesz == 0: division by zero in ext4fs_read_inode()
  - gdsize == 0: division by zero in ext4fs_blockgroup()
  - inodes_per_group == 0: division by zero in ext4fs_read_inode()

All three are trivially triggered by a crafted filesystem image.

Validate these fields are non-zero at mount time and reject the
filesystem if they aren't.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 fs/ext4/ext4_common.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c
index 094293a069..5d252b4a2c 100644
--- a/fs/ext4/ext4_common.c
+++ b/fs/ext4/ext4_common.c
@@ -541,6 +541,15 @@ int ext4fs_mount(struct ext_filesystem *fs)
 	      le32_to_cpu(data->sblock.revision_level),
 	      fs->inodesz, fs->gdsize);
 
+	if (!fs->inodesz || !fs->gdsize ||
+	    !le32_to_cpu(data->sblock.inodes_per_group)) {
+		dev_err(fs->dev, "invalid superblock: inodesz=%u gdsize=%u inodes_per_group=%u\n",
+			fs->inodesz, fs->gdsize,
+			le32_to_cpu(data->sblock.inodes_per_group));
+		ret = -EINVAL;
+		goto fail;
+	}
+
 	data->diropen.data = data;
 	data->diropen.ino = 2;
 	data->diropen.inode_read = 1;

-- 
2.47.3

[PATCH 3/5] fs: ext4: fix OOB read and infinite loop in ext_iterate()

[Sascha Hauer]

ext_iterate() reads the entire directory into a buffer and walks it
parsing ext2_dirent entries, but has several issues with untrusted
on-disk data:

1. No check that a full ext2_dirent struct fits before reading it,
   causing an OOB read for the last partial entry.

2. No check that fpos + sizeof(dirent) + namelen fits within the
   buffer before passing the filename pointer to dir_emit(), causing
   an OOB read if namelen extends past the allocation.

3. If dirent->direntlen is 0, fpos never advances, causing an
   infinite loop.

Fix by:
- Checking that a full dirent struct fits before each iteration
- Validating that the filename region is within bounds before emitting
- Breaking out of the loop if direntlen is smaller than the minimum
  dirent size (which also catches the zero case)

All three are triggerable from a crafted ext4 filesystem image.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 fs/ext4/ext_barebox.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/fs/ext4/ext_barebox.c b/fs/ext4/ext_barebox.c
index 5bee4853d4..ef1a71368d 100644
--- a/fs/ext4/ext_barebox.c
+++ b/fs/ext4/ext_barebox.c
@@ -157,15 +157,20 @@ static int ext_iterate(struct file *file, struct dir_context *ctx)
 		goto out;
 	}
 
-	while (fpos < dir->i_size) {
+	while (fpos + sizeof(struct ext2_dirent) <= dir->i_size) {
 		const struct ext2_dirent *dirent = buf + fpos;
 		const char *filename = buf + fpos + sizeof(*dirent);
+		uint16_t direntlen = le16_to_cpu(dirent->direntlen);
 
-		if (dirent->namelen != 0)
+		if (direntlen < sizeof(struct ext2_dirent))
+			break;
+
+		if (dirent->namelen != 0 &&
+		    fpos + sizeof(*dirent) + dirent->namelen <= dir->i_size)
 			dir_emit(ctx, filename, dirent->namelen,
 				 le32_to_cpu(dirent->inode), DT_UNKNOWN);
 
-		fpos += le16_to_cpu(dirent->direntlen);
+		fpos += direntlen;
 	}
 	ret = 0;
 out:

-- 
2.47.3

[PATCH 4/5] fs: ext4: reject dirents with too-small direntlen to prevent infinite loops

[Sascha Hauer]

ext4fs_iterate_dir() and ext4fs_get_ino() walk directory entries using
dirent->direntlen from disk to advance the position. If a crafted
filesystem has direntlen == 0, the position never advances, causing an
infinite loop that can only be broken by a reset.

Reject directory entries where direntlen is smaller than the minimum
dirent struct size. This catches the zero case and also prevents
reading overlapping dirents.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 fs/ext4/ext4_common.c | 2 ++
 fs/ext4/ext_barebox.c | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c
index 5d252b4a2c..b0c78f9e9a 100644
--- a/fs/ext4/ext4_common.c
+++ b/fs/ext4/ext4_common.c
@@ -359,6 +359,8 @@ int ext4fs_iterate_dir(struct ext2fs_node *dir, char *name,
 
 			free(fdiro);
 		}
+		if (le16_to_cpu(dirent.direntlen) < sizeof(struct ext2_dirent))
+			return -EINVAL;
 		fpos += le16_to_cpu(dirent.direntlen);
 	}
 	return -ENOENT;
diff --git a/fs/ext4/ext_barebox.c b/fs/ext4/ext_barebox.c
index ef1a71368d..f9a978c10c 100644
--- a/fs/ext4/ext_barebox.c
+++ b/fs/ext4/ext_barebox.c
@@ -106,6 +106,8 @@ static int ext4fs_get_ino(struct ext2fs_node *dir, struct qstr *name, int *inum)
 				return 0;
 			}
 		}
+		if (le16_to_cpu(dirent.direntlen) < sizeof(struct ext2_dirent))
+			return -EINVAL;
 		fpos += le16_to_cpu(dirent.direntlen);
 	}
 

-- 
2.47.3

[PATCH 5/5] fs: ext4: validate extent eh_entries against buffer capacity

[Sascha Hauer]

ext4fs_get_extent_block() and read_allocated_block() use the on-disk
eh_entries field to iterate over extent index and leaf entries without
validating it against the buffer that holds them.

The initial extent data lives in the inode's 60-byte block union,
which can hold at most 4 entries after the 12-byte header. Subsequent
extent blocks are read into a block-sized buffer. A crafted filesystem
with eh_entries larger than what fits in the buffer causes out-of-bounds
reads past the inode structure or the block allocation.

Validate eh_entries against the computed maximum capacity of the
containing buffer in both the index walk (ext4fs_get_extent_block)
and the leaf walk (read_allocated_block), returning an error if
the count exceeds what the buffer can hold.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 fs/ext4/ext4_common.c | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c
index b0c78f9e9a..a7c0c0f0ff 100644
--- a/fs/ext4/ext4_common.c
+++ b/fs/ext4/ext4_common.c
@@ -38,6 +38,29 @@
 
 #include "ext4_common.h"
 
+/*
+ * Validate that eh_entries does not exceed the capacity of the buffer
+ * holding the extent block.  Returns 0 if valid, -EINVAL otherwise.
+ */
+static int ext4_check_eh_entries(struct ext4_extent_header *ext_block,
+				 char *buf, int blksz)
+{
+	int max_entries;
+	/* ext4_extent and ext4_extent_idx are both 12 bytes */
+	const int entry_size = sizeof(struct ext4_extent);
+
+	if ((char *)ext_block == buf)
+		max_entries = (blksz - sizeof(*ext_block)) / entry_size;
+	else
+		max_entries = (sizeof(((struct ext2_inode *)0)->b) -
+			       sizeof(*ext_block)) / entry_size;
+
+	if (le16_to_cpu(ext_block->eh_entries) > max_entries)
+		return -EINVAL;
+
+	return 0;
+}
+
 static struct ext4_extent_header *ext4fs_get_extent_block(struct ext2_data *data,
 		char *buf, struct ext4_extent_header *ext_block,
 		uint32_t fileblock, int log2_blksz)
@@ -57,6 +80,10 @@ static struct ext4_extent_header *ext4fs_get_extent_block(struct ext2_data *data
 
 		if (ext_block->eh_depth == 0)
 			return ext_block;
+
+		if (ext4_check_eh_entries(ext_block, buf, blksz))
+			return NULL;
+
 		i = -1;
 		do {
 			i++;
@@ -189,6 +216,11 @@ long int read_allocated_block(struct ext2fs_node *node, int fileblock)
 
 		extent = (struct ext4_extent *)(ext_block + 1);
 
+		if (ext4_check_eh_entries(ext_block, buf, blksz)) {
+			free(buf);
+			return -EINVAL;
+		}
+
 		for (i = 0; i < le16_to_cpu(ext_block->eh_entries); i++) {
 			startblock = le32_to_cpu(extent[i].ee_block);
 			endblock = startblock + le16_to_cpu(extent[i].ee_len);

-- 
2.47.3

Re: [PATCH 3/5] fs: ext4: fix OOB read and infinite loop in ext_iterate()

[Sascha Hauer]

On Thu, Apr 02, 2026 at 12:12:31PM +0200, Sascha Hauer wrote:
> ext_iterate() reads the entire directory into a buffer and walks it
> parsing ext2_dirent entries, but has several issues with untrusted
> on-disk data:
> 
> 1. No check that a full ext2_dirent struct fits before reading it,
>    causing an OOB read for the last partial entry.
> 
> 2. No check that fpos + sizeof(dirent) + namelen fits within the
>    buffer before passing the filename pointer to dir_emit(), causing
>    an OOB read if namelen extends past the allocation.
> 
> 3. If dirent->direntlen is 0, fpos never advances, causing an
>    infinite loop.
> 
> Fix by:
> - Checking that a full dirent struct fits before each iteration
> - Validating that the filename region is within bounds before emitting
> - Breaking out of the loop if direntlen is smaller than the minimum
>   dirent size (which also catches the zero case)
> 
> All three are triggerable from a crafted ext4 filesystem image.
> 
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Fixes: 76cb57b4e107 ("fs: ext4: Switch to dentry cache implementation")

Sascha

> ---
>  fs/ext4/ext_barebox.c | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/ext4/ext_barebox.c b/fs/ext4/ext_barebox.c
> index 5bee4853d4..ef1a71368d 100644
> --- a/fs/ext4/ext_barebox.c
> +++ b/fs/ext4/ext_barebox.c
> @@ -157,15 +157,20 @@ static int ext_iterate(struct file *file, struct dir_context *ctx)
>  		goto out;
>  	}
>  
> -	while (fpos < dir->i_size) {
> +	while (fpos + sizeof(struct ext2_dirent) <= dir->i_size) {
>  		const struct ext2_dirent *dirent = buf + fpos;
>  		const char *filename = buf + fpos + sizeof(*dirent);
> +		uint16_t direntlen = le16_to_cpu(dirent->direntlen);
>  
> -		if (dirent->namelen != 0)
> +		if (direntlen < sizeof(struct ext2_dirent))
> +			break;
> +
> +		if (dirent->namelen != 0 &&
> +		    fpos + sizeof(*dirent) + dirent->namelen <= dir->i_size)
>  			dir_emit(ctx, filename, dirent->namelen,
>  				 le32_to_cpu(dirent->inode), DT_UNKNOWN);
>  
> -		fpos += le16_to_cpu(dirent->direntlen);
> +		fpos += direntlen;
>  	}
>  	ret = 0;
>  out:
> 
> -- 
> 2.47.3
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |