Linux Kernel ext4 Invalid INLINE_DATA and EXTENTS Flag Combination Vulnerability

A vulnerability in the Linux kernel's ext4 file system has been addressed, concerning an invalid combination of INLINE_DATA and EXTENTS flags on an inode. This issue was reported by syzbot, which encountered a BUG_ON in the ext4 extent cache when opening a verity file on a corrupted ext4 file system that was mounted without a journal. The corruption arose because an inode had both the INLINE_DATA and EXTENTS flags set, which is not permissible. Inodes should have either INLINE_DATA, indicating that data is stored directly in the inode, or EXTENTS, where data is kept in extent-mapped blocks. The presence of both flags led to an improper validation of the extent tree, causing an integer underflow and triggering the BUG_ON condition. The vulnerability has been fixed by introducing a check for this invalid flag combination early in the inode retrieval process, ensuring that corrupted inodes are rejected.

Impact

The vulnerability could lead to a system crash or instability by causing a BUG_ON condition in the ext4 extent caching function, which is indicative of a serious error that the kernel cannot recover from.

Reproduction

The vulnerability can be reproduced by creating a corrupted ext4 file system that has an inode with both the INLINE_DATA and EXTENTS flags set. This can be done by manipulating the file system metadata to introduce the flag combination, then mounting the file system without a journal and accessing the affected inode through a verity file, which will trigger the BUG_ON condition in the ext4 extent cache.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.