Security Advisory: CVE-2025-70101 - Out-of-Bounds Read in lwext4

When traversing the extent tree of a crafted EXT4 image, lwext4 reads past the valid extent index array in ext4_ext_binsearch_idx() due to missing validation of extent header fields, causing a segmentation fault.

Summary:
ext4_ext_binsearch_idx() in ext4_extent.c performs a binary search over extent index entries using pointers derived from the EXT_FIRST_INDEX and EXT_LAST_INDEX macros. These macros compute bounds directly from the eh_entries and eh_depth fields of the extent header without verifying their consistency. A crafted image can encode zero eh_entries alongside a non-zero eh_depth, causing the macros to return invalid pointers and the binary search at line 815 to read outside the allocated buffer. The fault is triggered during directory iteration via ext4_find_extent() and ultimately ext4_dir_entry_next().

CWE:
CWE-125 - Out-of-Bounds Read

Affected Component:

```
src/ext4_extent.c:815
Function: ext4_ext_binsearch_idx()

src/ext4_extent.c:896
Function: ext4_find_extent()
```

Affected Product:
lwext4 (Lightweight EXT4 filesystem library)

Affected Version:
lwext4 1.0.0, commit 58bcf89a121b72d4fb66334f1693d3b30e4cb9c5. Affects versions based on or equivalent to the 2016-era codebase.

Attack Conditions:
An attacker supplies a specially crafted or corrupted EXT4 image to any application that integrates lwext4 for mounting and directory traversal. No elevated privileges are required; only local access (AV:L) to provide the malicious image is needed.

Impact:
The out-of-bounds read causes an immediate process crash (SEGV on READ at address 0x521000062a28), resulting in a denial of service. No evidence of code execution was observed.

Fix / mitigation status:
The issue is addressed in lwext4 v1.0.1, released by Aladdin-R-D. Users should upgrade to v1.0.1 or apply the corresponding patch.

References

- Issue: https://github.com/gkostka/lwext4/issues/91
- PoC: https://github.com/sigdevel/pocs/blob/main/res/lwext4/3/sig11_lwext4_ext4_extent_815
- Fix: https://github.com/Aladdin-R-D/lwext4/releases/tag/v1.0.1

Credit
Alexander A. Shvedov (@sigdevel) & Daniil Dulov

#fuzzing #infosec #security #afl #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #EXT4 #lwext4 #filesystem

Security Advisory: CVE-2025-70100 - Divide By Zero in lwext4

When mounting or parsing a specially crafted EXT4 image that encodes a zero logical block size, lwext4 passes the invalid value into ext4_block_set_lb_size(), which performs arithmetic without validation and triggers a divide-by-zero crash.

Summary:
ext4_mount() reads the logical block size from the filesystem superblock and forwards it directly to ext4_block_set_lb_size() in ext4_blockdev.c. ext4_block_set_lb_size() uses lb_size in a division at line 127 without a prior zero-check, so a crafted image that encodes lb_size == 0 causes a Floating Point Exception. The process terminates immediately; under standard builds a SIGFPE is raised, under ASan the signal is intercepted and reported as FPE on address 0x55f254cc29e9.

CWE:
CWE-369 - Divide By Zero

Affected Component:

```
src/ext4_blockdev.c:127
Function: ext4_block_set_lb_size()

src/ext4.c:421
Function: ext4_mount()
```

Affected Product:
lwext4 (Lightweight EXT4 filesystem library)

Affected Version:
lwext4 1.0.0, commit 58bcf89a121b72d4fb66334f1693d3b30e4cb9c5. Affects versions based on or equivalent to the 2016-era codebase.

Attack Conditions:
An attacker supplies a specially crafted or corrupted EXT4 image to any application that integrates lwext4 for mounting or image processing. No elevated privileges are required; only local access (AV:L) to provide the malicious image is needed.

Impact:
The divide-by-zero causes an immediate process crash, resulting in a denial of service. No evidence of code execution was observed.

Fix / mitigation status:
The issue is addressed in lwext4 v1.0.1, released by Aladdin-R-D. Users should upgrade to v1.0.1 or apply the corresponding patch.

References

- Issue: https://github.com/gkostka/lwext4/issues/90
- PoC: https://github.com/sigdevel/pocs/blob/main/res/lwext4/2/sig8_2_lwext4_ext4_blockdev_c_127
- Fix: https://github.com/Aladdin-R-D/lwext4/releases/tag/v1.0.1

Credit
Alexander A. Shvedov (@sigdevel) & Daniil Dulov

#fuzzing #infosec #security #afl #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #EXT4 #lwext4 #filesystem

Security Advisory: CVE-2025-70099 - NULL Pointer Dereference in lwext4

When parsing a specially crafted EXT4 filesystem image with malformed directory entries, lwext4 dereferences a NULL directory entry pointer in ext4_dir_en_get_name_len(), causing a segmentation fault.

Summary:
The inline helper ext4_dir_en_get_name_len() in ext4_dir.h reads the name_len field from a directory entry struct without first validating that the entry pointer is non-NULL. During directory iteration via ext4_dir_entry_next(), processing of a corrupted EXT4 image can produce a NULL (or near-NULL) entry pointer. The subsequent dereference of en->name_len at line 126 triggers a READ access at address 0x6 and crashes the process.

CWE:
CWE-476 - NULL Pointer Dereference

Affected Component:

```
include/ext4_dir.h:126
Function: ext4_dir_en_get_name_len()

src/ext4.c:3233
Function: ext4_dir_entry_next()
```

Affected Product:
lwext4 (Lightweight EXT4 filesystem library)

Affected Version:
lwext4 1.0.0, commit 58bcf89a121b72d4fb66334f1693d3b30e4cb9c5. Affects versions based on or equivalent to the 2016-era codebase.

Attack Conditions:
An attacker supplies a specially crafted or corrupted EXT4 image to any application that integrates lwext4 for parsing or directory traversal. No elevated privileges are required; only local access (AV:L) to provide the malicious image is needed.

Impact:
The NULL pointer dereference causes an immediate process crash, resulting in a denial of service. No evidence of code execution was observed.

Fix / mitigation status:
The issue is addressed in lwext4 v1.0.1, released by Aladdin-R-D. Users should upgrade to v1.0.1 or apply the corresponding patch.

References

- Issue: https://github.com/gkostka/lwext4/issues/89
- PoC: https://github.com/sigdevel/pocs/blob/main/res/lwext4/1/sig11_2_1_lwext4_ext4_dir_h_126
- Fix: https://github.com/Aladdin-R-D/lwext4/releases/tag/v1.0.1

Credit
Alexander A. Shvedov (@sigdevel) & Daniil Dulov

#fuzzing #infosec #security #afl #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #EXT4 #lwext4 #filesystem

Anyone know what would cause an EXT4 filesystem to just suddenly insist it has zero bytes free no matter what? I deleted files and everything and it still said 0 bytes free. I ran multiple filesystem checks (it was marked as dirty, and said mounted with errors, but just in case I forced extra checks) and in the end it did a repair or something and then from there on just insisted there was nothing wrong anymore. I even used gparted to shrink, move, and then resize it back (poor memory card!)

In the end I had to use tune2fs to adjust the reserve down to 1% (I probably don't need any, this is on a secondary memory card for a retro handheld.)

Like did the reserve just... somehow get changed somehow to 100% or something stupid? How would that even be possible?

#Linux #EXT4

I've been transitioning my home computers from #Manjaro to #Solus #Linux because I noticed that Solus puts out weekly updates and Manjaro moves far more slowly.

I thought I'd give #BTRFS a try instead of #ext4 since on Manjaro, BTRFS has become the default and it worked well.

For some reason, it really didn't play well with Solus. I couldn't log into #Element at all and I had problems running #Cyberpunk2077 with #Heroic.

I reinstalled with ext4 and those problems went away.

I did, for some reason, have trouble installing Heroic from the repo and had to use #Flatpak instead, but I'm getting more comfortable with those. I let the computer redownload CPB2077 overnight and tried to run it this morning. It even remembered my progress, which was a fear.

A friend got a protable projector (Elfin Flip) and realized it's running Linux.

So I downloaded the firmware (from 2022) and binwalked it:

```
...
633998388 0x25CA0C34 Linux EXT filesystem, blocks count: 477201, image size: 488653824, rev 1.0, ext2 filesystem data (mounted or unclean), UUID=4729639d-b5f2-5cc1-a120-9ac5f788f788, volume name "/"
...
```

mounted or unclean!

I'm sorry sir, but could you fsck your release before shipping?

#Linux #Embedded #ext4 #ReverseEngineering

New post on The Byte Architect:

**Filesystem Wars: Why Your Choice of Storage is Actually a Security Move**

This is not a “which filesystem should I use?” checklist. It is a walk through the ideas behind FFS, BFS, NTFS, ext4, ZFS, and APFS — and why storage design is never just about storage.

Crash consistency, journaling, soft updates, CoW, snapshots, encryption, space sharing: different filesystems solve different problems, and those choices shape reliability, usability, and security.

The real target, of course, is APFS.

Read it here: https://bytearchitect.io/macos-security/theory/Filesystem-Wars-Why-Your-Choice-of-Storage-is-Actually-a-Security-Move/

#macOS #Apple #APFS #ZFS #ext4 #NTFS #ReverseEngineering #InfoSec #CyberSecurity