tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ocfs2: add boundary check to ocfs2_check_dir_entry()

In 'ocfs2_check_dir_entry()', add extra check whether at least the
smallest possible dirent may be located at the specified offset within
bh's data, thus preventing an out-of-bounds accesses below.

Link: https://lkml.kernel.org/r/20251013062826.122586-1-dmantipov@yandex.ru
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reported-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
Reviewed-by: Heming Zhao <heming.zhao@suse.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

authored by

Dmitry Antipov and committed by
Andrew Morton 390ac56c d99dc586

+15 -2
+15 -2
fs/ocfs2/dir.c
··· 302 302 unsigned long offset) 303 303 { 304 304 const char *error_msg = NULL; 305 - const int rlen = le16_to_cpu(de->rec_len); 306 - const unsigned long next_offset = ((char *) de - buf) + rlen; 305 + unsigned long next_offset; 306 + int rlen; 307 + 308 + if (offset > size - OCFS2_DIR_REC_LEN(1)) { 309 + /* Dirent is (maybe partially) beyond the buffer 310 + * boundaries so touching 'de' members is unsafe. 311 + */ 312 + mlog(ML_ERROR, "directory entry (#%llu: offset=%lu) " 313 + "too close to end or out-of-bounds", 314 + (unsigned long long)OCFS2_I(dir)->ip_blkno, offset); 315 + return 0; 316 + } 317 + 318 + rlen = le16_to_cpu(de->rec_len); 319 + next_offset = ((char *) de - buf) + rlen; 307 320 308 321 if (unlikely(rlen < OCFS2_DIR_REC_LEN(1))) 309 322 error_msg = "rec_len is smaller than minimal";