Description
In the Linux kernel, the following vulnerability has been resolved: ext4: inline: fix len overflow in ext4_prepare_inline_data When running the following code on an ext4 filesystem with inline_data feature enabled, it will lead to the bug below. fd = open("file1", O_RDWR | O_CREAT | O_TRUNC, 0666); ftruncate(fd, 30); pwrite(fd, "a", 1, (1UL << 40) + 5UL); That happens because write_begin will succeed as when ext4_generic_write_inline_data calls ext4_prepare_inline_data, pos + len will be truncated, leading to ext4_prepare_inline_data parameter to be 6 instead of 0x10000000006. Then, later when write_end is called, we hit: BUG_ON(pos + len > EXT4_I(inode)->i_inline_size); at ext4_write_inline_data. Fix it by using a loff_t type for the len parameter in ext4_prepare_inline_data instead of an unsigned int. [ 44.545164] ------------[ cut here ]------------ [ 44.545530] kernel BUG at fs/ext4/inline.c:240! [ 44.545834] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 44.546172] CPU: 3 UID: 0 PID: 343 Comm: test Not tainted 6.15.0-rc2-00003-g9080916f4863 #45 PREEMPT(full) 112853fcebfdb93254270a7959841d2c6aa2c8bb [ 44.546523] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 44.546523] RIP: 0010:ext4_write_inline_data+0xfe/0x100 [ 44.546523] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49 [ 44.546523] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216 [ 44.546523] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006 [ 44.546523] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738 [ 44.546523] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 [ 44.546523] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000 [ 44.546523] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738 [ 44.546523] FS: 00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000 [ 44.546523] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 44.546523] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0 [ 44.546523] PKRU: 55555554 [ 44.546523] Call Trace: [ 44.546523] <TASK> [ 44.546523] ext4_write_inline_data_end+0x126/0x2d0 [ 44.546523] generic_perform_write+0x17e/0x270 [ 44.546523] ext4_buffered_write_iter+0xc8/0x170 [ 44.546523] vfs_write+0x2be/0x3e0 [ 44.546523] __x64_sys_pwrite64+0x6d/0xc0 [ 44.546523] do_syscall_64+0x6a/0xf0 [ 44.546523] ? __wake_up+0x89/0xb0 [ 44.546523] ? xas_find+0x72/0x1c0 [ 44.546523] ? next_uptodate_folio+0x317/0x330 [ 44.546523] ? set_pte_range+0x1a6/0x270 [ 44.546523] ? filemap_map_pages+0x6ee/0x840 [ 44.546523] ? ext4_setattr+0x2fa/0x750 [ 44.546523] ? do_pte_missing+0x128/0xf70 [ 44.546523] ? security_inode_post_setattr+0x3e/0xd0 [ 44.546523] ? ___pte_offset_map+0x19/0x100 [ 44.546523] ? handle_mm_fault+0x721/0xa10 [ 44.546523] ? do_user_addr_fault+0x197/0x730 [ 44.546523] ? do_syscall_64+0x76/0xf0 [ 44.546523] ? arch_exit_to_user_mode_prepare+0x1e/0x60 [ 44.546523] ? irqentry_exit_to_user_mode+0x79/0x90 [ 44.546523] entry_SYSCALL_64_after_hwframe+0x55/0x5d [ 44.546523] RIP: 0033:0x7f42999c6687 [ 44.546523] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff [ 44.546523] RSP: 002b:00007ffeae4a7930 EFLAGS: 00000202 ORIG_RAX: 0000000000000012 [ 44.546523] RAX: ffffffffffffffda RBX: 00007f4299934740 RCX: 00007f42999c6687 [ 44.546523] RDX: 0000000000000001 RSI: 000055ea6149200f RDI: 0000000000000003 [ 44.546523] RBP: 00007ffeae4a79a0 R08: 0000000000000000 R09: 0000000000000000 [ 44.546523] R10: 0000010000000005 R11: 0000000000000202 R12: 0000 ---truncated---
Product status
f19d5870cbf72d4cb2a8e1f749dff97af99b071e (git) before d3dfc60efd145df5324b99a244b0b05505cde29b
f19d5870cbf72d4cb2a8e1f749dff97af99b071e (git) before 717414a8c083c376d4a8940a1230fe0c6ed4ee00
f19d5870cbf72d4cb2a8e1f749dff97af99b071e (git) before 9d1d1c5bf4fc1af76be154d3afb2acdbd89ec7d8
f19d5870cbf72d4cb2a8e1f749dff97af99b071e (git) before cf5f319a2d8ab8238f8cf3a19463b9bff6420934
f19d5870cbf72d4cb2a8e1f749dff97af99b071e (git) before 26e09d18599da0adc543eabd300080daaeda6869
f19d5870cbf72d4cb2a8e1f749dff97af99b071e (git) before 5766da2237e539f259aa0e5f3639ae37b44ca458
f19d5870cbf72d4cb2a8e1f749dff97af99b071e (git) before e80ee0263d88d77f2fd1927f915003a7066cbb50
f19d5870cbf72d4cb2a8e1f749dff97af99b071e (git) before 227cb4ca5a6502164f850d22aec3104d7888b270
3.8
Any version before 3.8
5.4.295 (semver)
5.10.239 (semver)
5.15.186 (semver)
6.1.142 (semver)
6.6.95 (semver)
6.12.35 (semver)
6.15.4 (semver)
6.16 (original_commit_for_fix)
References
lists.debian.org/debian-lts-announce/2025/10/msg00008.html
lists.debian.org/debian-lts-announce/2025/10/msg00007.html
cert-portal.siemens.com/productcert/html/ssa-082556.html
git.kernel.org/...c/d3dfc60efd145df5324b99a244b0b05505cde29b
git.kernel.org/...c/717414a8c083c376d4a8940a1230fe0c6ed4ee00
git.kernel.org/...c/9d1d1c5bf4fc1af76be154d3afb2acdbd89ec7d8
git.kernel.org/...c/cf5f319a2d8ab8238f8cf3a19463b9bff6420934
git.kernel.org/...c/26e09d18599da0adc543eabd300080daaeda6869
git.kernel.org/...c/5766da2237e539f259aa0e5f3639ae37b44ca458
git.kernel.org/...c/e80ee0263d88d77f2fd1927f915003a7066cbb50
git.kernel.org/...c/227cb4ca5a6502164f850d22aec3104d7888b270