Linux Kernel ext4 EA Inode Reference Count Underflow Vulnerability in xattr Updates

A vulnerability in the Linux kernel's ext4 file system has been addressed, which involved an underflow in the extended attribute (EA) inode reference count during updates. The issue was discovered by syzkaller, which found that the function 'ext4_xattr_inode_update_ref()' could read a reference count that was already zero or negative, and then apply a change that often decreased the count by one. This created a bogus reference count value, leading to filesystem errors. The vulnerability has been fixed by adding a check for non-positive reference counts, treating such cases as on-disk corruption, and failing the operation while reporting the error. This change prevents the underflow and its associated cleanup issues.

Impact

The vulnerability could lead to a reference count underflow, causing the file system to process an invalid reference count value, which could trigger errors and warnings related to the extended attribute inode management.

Reproduction

The vulnerability can be reproduced by using the 'ext4_xattr_inode_update_ref()' function to update an EA inode's reference count. If the reference count is already zero or negative, and a negative change is applied, the reference count will underflow, creating an invalid state that the file system will subsequently report as an error.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been fixed. The specific commit addressing this issue is '57295e835408d8d425bef58da5253465db3d6888', which is available in the Linux kernel stable tree.