Linux Kernel Out-of-Bounds Read Vulnerability in ext4 File System

A vulnerability in the Linux kernel's ext4 file system can lead to an out-of-bounds read. This issue arises when a corrupted filesystem is mounted, specifically one that contains a directory with a '.' directory entry whose rec_len equals the block size. The problem occurs because the ext4_empty_dir() function assumes that every directory has at least '.' and '..' entries in the first data block. When the rec_len of '.' is exactly one block, it bypasses sanity checks and causes a pointer to reference memory just past the allocated slot, leading to out-of-bounds access. This vulnerability was identified by the syzkaller tool and is reported as a use-after-free issue by KASAN, although it primarily involves an out-of-bounds read.

Impact

Exploitation of this vulnerability causes a use-after-free error, which can lead to memory corruption.

Reproduction

To reproduce this vulnerability, mount a corrupted ext4 filesystem that includes a directory with a '.' entry having a rec_len equal to the block size. Once the filesystem is mounted, remove the corrupted directory. The ext4_empty_dir() function will then misinterpret the directory entries, allowing the vulnerability to manifest as an out-of-bounds read.

Remediation

Users should ensure that their filesystems are not corrupted and avoid mounting such filesystems until they can be repaired.