Linux Kernel ext4 Invalid Free Tracking Vulnerability in xattr_move_to_block Function

A vulnerability in the Linux kernel's ext4 file system has been addressed. The issue arose in the ext4_xattr_move_to_block() function, where the extended attribute value being moved to an external block could be allocated by kvmalloc() if stored in an external inode. The function attempted to verify this by checking entry->e_value_inum. However, the pointer to the xattr entry was no longer valid, having been removed from its original location. This could lead to calling kvfree() on a pointer not allocated by kvmalloc(), or potentially leaking memory by failing to free a buffer when necessary. The vulnerability has been fixed by tracking whether the buffer should be freed using a separate variable.

Impact

The vulnerability could cause memory management issues, such as leaking memory by not freeing buffers when required, or incorrectly freeing memory, which could lead to use-after-free errors.

Reproduction

The vulnerability can be reproduced by creating a scenario where an extended attribute is stored in an external inode and then moved to an external block using the ext4_xattr_move_to_block() function. This process can be automated with a fuzzer, such as syzkaller, which has reported this vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.