Re: [PATCH] ext4: xattr: fix out-of-bounds access in ext4_xattr_set_entry

[ZhengYuan Huang]

On Wed, Mar 18, 2026 at 10:46 PM Theodore Tso <tytso@xxxxxxx> wrote:
> Can you send us a pointer to the reproducer?  And does the reproducer
> involve actively modifying the mounted file system image, either via
> the block device or the underlying file (if a loop device is being used)?

Thanks for your reply. I'm happy to provide a reproducer. The
following PoC reproduces the bug deterministically.

The PoC is too large to inline in email, so I uploaded it here:
https://drive.google.com/drive/folders/1OzH1XvAOAb9ulpOKfL70U1LvXhhlHAyz

Steps to reproduce:
1. Download the PoC from the provided link and extract it.
2. Build the ublk helper program from the ublk codebase, which is
used to provide the runtime corruption capability:
  g++ -std=c++20 -fcoroutines -O2 -o standalone_replay \
  standalone_replay_ext4.cpp targets/ublksrv_tgt.cpp \
  -I. -Iinclude -Itargets/include \
  -L./lib/.libs -lublksrv -luring -lpthread
3. Attach the image through ublk:
  ./standalone_replay add -t loop -f /path/to/image
4. Run the reproducer:
  ./syz-execprog -executor=./syz-executor -repeat=0 -procs=1 -threaded=0
  -sandbox=none -method=dynamic -fstype=ext4 ./corpus0
I can reproduce the issue reliably on Ubuntu 24.04.

For completeness: the syz-execprog and syz-executor binaries here are
based on syzkaller, with only small local changes to add the
environment setup required by this reproducer. I can also provide the
modified sources if that would be helpful.

Apologies for the complexity of the reproducer. This issue was found
by our fuzzing tool, and I am still working on minimizing it,
which might take some time. I will send an updated, minimized version
as soon as possible.

And yes, the reproducer does involve actively modifying the mounted
filesystem image. We use ublk to enable this behavior.

thanks,
ZhengYuan Huang