In the Linux kernel, the following vulnerability has been resolved:

ext4: fix bugon in _estreesearch

Hulk Robot reported a BUG_ON:

kernel BUG at fs/ext4/extentsstatus.c:199! [...] RIP: 0010:ext4esend fs/ext4/extentsstatus.c:199 [inline] RIP: 0010:_estreesearch+0x1e0/0x260 fs/ext4/extentsstatus.c:217 [...] Call Trace: ext4escacheextent+0x109/0x340 fs/ext4/extentsstatus.c:766 ext4cacheextents+0x239/0x2e0 fs/ext4/extents.c:561 ext4findextent+0x6b7/0xa20 fs/ext4/extents.c:964 ext4extmapblocks+0x16b/0x4b70 fs/ext4/extents.c:4384 ext4mapblocks+0xe26/0x19f0 fs/ext4/inode.c:567 ext4getblk+0x320/0x4c0 fs/ext4/inode.c:980 ext4bread+0x2d/0x170 fs/ext4/inode.c:1031 ext4quotaread+0x248/0x320 fs/ext4/super.c:6257 v2readheader+0x78/0x110 fs/quota/quotav2.c:63 v2checkquotafile+0x76/0x230 fs/quota/quotav2.c:82 vfsloadquotainode+0x5d1/0x1530 fs/quota/dquot.c:2368 dquotenable+0x28a/0x330 fs/quota/dquot.c:2490 ext4quotaenable fs/ext4/super.c:6137 [inline] ext4enablequotas+0x5d7/0x960 fs/ext4/super.c:6163 ext4fillsuper+0xa7c9/0xdc00 fs/ext4/super.c:4754 mountbdev+0x2e9/0x3b0 fs/super.c:1158 mountfs+0x4b/0x1e4 fs/super.c:1261

[...]

Above issue may happen as follows:

ext4fillsuper ext4enablequotas ext4quotaenable ext4iget _ext4iget ext4extcheckinode ext4extcheck _ext4extcheck ext4validextententries Check for overlapping extents does't take effect dquotenable vfsloadquotainode v2checkquotafile v2readheader ext4quotaread ext4bread ext4getblk ext4mapblocks ext4extmapblocks ext4findextent ext4cacheextents ext4escacheextent ext4escacheextent _estreesearch ext4esend BUGON(es->eslblk + es->eslen < es->es_lblk)

The error ext4 extents is as follows: 0af3 0300 0400 0000 00000000 extent_header 00000000 0100 0000 12000000 extent1 00000000 0100 0000 18000000 extent2 02000000 0400 0000 14000000 extent3

In the ext4validextententries function, if prev is 0, no error is returned even if lblock<=prev. This was intended to skip the check on the first extent, but in the error image above, prev=0+1-1=0 when checking the second extent, so even though lblock<=prev, the function does not return an error. As a result, bugON occurs in _estree_search and the system panics.

To solve this problem, we only need to check that: 1. The lblock of the first extent is not less than 0. 2. The lblock of the next extent is not less than the next block of the previous extent. The same applies to extent_idx.