Conversation
added 3 commits
March 4, 2026 18:37
Maximum block size is considered to be 64 KiB, standard block size is 4 KiB, minimum block size is 1 KiB, however the value of block size is not checked while mounting images which can lead to the division by zero in ext4_block_set_lb_size(). The issue is caused due to ext4_mount() passes an invalid logical block size (size == 0) to ext4_block_set_lb_size() without checking its value. To fix the issue check if logical block size value is between 1 KiB and 64 KiB.
There are multiple out-of-bounds write issues while setting up the bitmap of the ext4 block (ext4_block data field). These issues are caused due to ext4 block bitmap has the size of block_size when image is mounted, however block groups number or the number of inodes per group may have the value greater than block_size. Then these values are used as boundaries while setting block bitmap bits, however these values are not checked to be less than block_size. To fix the issue check these values before setting block bitmap bits.
There is a possible double-free issue in ext4_bcache_drop_buf() which may occur while iterating over directory entries (e.g. ext4_dir_entry_next()) and when block cache is full, in this case ext4_bcache_drop_buf() is called. The issue itself is caused due to any referenced buffer is not actually removed from lru RB-tree, however it is still freed. Buffers are being dropped in ext4_block_cache_shake() until one of two conditions is met: 1. lru RB-tree is empty 2. block cache count is greater than the number of referenced blocks Both conditions are impossible in the observed case since referenced buffers are not removed and ref count is not decremented. Thus, the first iteration frees the buffer without removing it from lru RB-tree, the second iteration picks the exact same buffer by calling ext4_buf_lowest_lru() which is then attempted to be freed for the second time. To fix the issue try to remove buffer from lru RB-tree even if it is still referenced.
sigdevel
approved these changes
Mar 4, 2026
Collaborator
|
Approved |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
There are several more issues found by fuzz testing lwext4: