[Debian-ha-maintainers] Vulnerability Report - 4 findings in ocfs2-tools

Wed Jun 10 21:28:53 BST 2026

Hello,

I am reporting 4 memory corruption vulnerabilities in ocfs2-tools
(the OCFS2 filesystem utilities). All run as root and are triggered
by crafted OCFS2 filesystem images.

Can you please loop Mark Fasheh upstream? (GHSA is disabled
on his repo so I am contacting you directly as Debian project ship
this package)

All findings verified against commit e7999c8.

Findings summary:

  - Journal s_blocksize heap OOB R/W (CVSS 7.8, CWE-787)
  - Extent list OOB via el_count/el_next_free_rec (CVSS 7.1, CWE-125)
  - Xattr underflow via xe_name_offset (CVSS 6.5, CWE-191)
  - Journal replay arbitrary heap write (CVSS 7.8, CWE-787)

I would appreciate acknowledgment of receipt and CVE assignment for
each confirmed finding.

Regards,
Tristan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-ha-maintainers/attachments/20260610/09ce3ec3/attachment.htm>
-------------- next part --------------
Journal s_blocksize Heap OOB Read/Write
=======================================================
CVSS 3.1: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CWE: CWE-787 (Out-of-bounds Write)
Target: ocfs2-tools (commit e7999c8)

The journal handler uses s_blocksize from on-disk metadata without
validation. An unvalidated blocksize causes undersized allocations.
Full journal replay writes into the undersized buffer, giving the
attacker controlled heap OOB reads and writes.

Data flow: on-disk journal superblock -> s_blocksize (unvalidated)
-> undersized alloc -> journal replay into OOB -> heap corruption.
-------------- next part --------------
Journal Replay Arbitrary Heap Write
====================================================
CVSS 3.1: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CWE: CWE-787 (Out-of-bounds Write)
Target: ocfs2-tools (commit e7999c8)

During journal replay, the block number from the journal is used
as an offset without validation. This allows writes to arbitrary
locations within the heap allocation, providing an arbitrary write
primitive from a crafted OCFS2 image.

Data flow: on-disk journal -> block number (attacker-controlled)
-> write at arbitrary heap offset -> arbitrary write primitive.
-------------- next part --------------
Xattr Underflow via xe_name_offset
===================================================
CVSS 3.1: 6.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CWE: CWE-191 (Integer Underflow)
Target: ocfs2-tools (commit e7999c8)

The xattr handler uses xe_name_offset from on-disk metadata as
an offset into the xattr block. When xe_name_offset is less than
the header size, the computed pointer underflows, reading data
before the start of the buffer.

Data flow: on-disk xattr -> xe_name_offset < header_size
-> pointer underflow -> reads before buffer start.
-------------- next part --------------
Extent List OOB via el_count/el_next_free_rec
==============================================================
CVSS 3.1: 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H)
CWE: CWE-125 (Out-of-bounds Read)
Target: ocfs2-tools (commit e7999c8)

The extent list parser uses el_count and el_next_free_rec from
on-disk metadata as loop bounds without checking them against the
actual buffer size. Unbounded iteration reads past the allocation.

Data flow: on-disk extent list -> el_count/el_next_free_rec
(unbounded) -> iteration past buffer -> heap OOB read.