From: Chao Yu via Linux-f2fs-devel <linux-f2fs-devel@lists.sourceforge.net>
To: jaegeuk@kernel.org
Cc: linux-f2fs-devel@lists.sourceforge.net
Subject: [f2fs-dev] [PATCH 1/2] fsck.f2fs: sanity check i_inline_xattr_size correctly
Date: Tue, 16 Jun 2026 09:48:01 +0000 [thread overview]
Message-ID: <20260616094802.3107281-1-chao@kernel.org> (raw)
Corrupted inode may contain invalid i_inline_xattr_size field, when
F2FS_FEATURE_FLEXIBLE_INLINE_XATTR is enabled, and inode has not
F2FS_INLINE_XATTR flag, fsck.f2fs won't check its validation, however
we will still use i_inline_xattr_size field via get_inline_xattr_addrs(),
it may cause potential heap buffer underflows and out-of-bound read/write.
In addition, we missed to check i_inline_xattr_size w/ lower boundary
MIN_INLINE_XATTR_SIZE like we did in kernel side.
This patch fixes above two issues.
Signed-off-by: Chao Yu <chao@kernel.org>
---
fsck/fsck.c | 10 ++++++----
fsck/xattr.h | 2 ++
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/fsck/fsck.c b/fsck/fsck.c
index 4fca4dd..e679357 100644
--- a/fsck/fsck.c
+++ b/fsck/fsck.c
@@ -1063,14 +1063,16 @@ check_next:
}
}
- if ((c.feature & F2FS_FEATURE_FLEXIBLE_INLINE_XATTR) &&
- (node_blk->i.i_inline & F2FS_INLINE_XATTR)) {
+ if (c.feature & F2FS_FEATURE_FLEXIBLE_INLINE_XATTR) {
unsigned int inline_size =
le16_to_cpu(node_blk->i.i_inline_xattr_size);
if (time_to_inject(FAULT_INODE) ||
- (!inline_size ||
- inline_size > MAX_INLINE_XATTR_SIZE)) {
+ inline_size > MAX_INLINE_XATTR_SIZE ||
+ (inline_size != 0 &&
+ inline_size < MIN_INLINE_XATTR_SIZE) ||
+ ((node_blk->i.i_inline & F2FS_INLINE_XATTR) &&
+ !inline_size)) {
ASSERT_MSG("[0x%x] wrong inline_xattr_size:%u",
nid, inline_size);
if (c.fix_on) {
diff --git a/fsck/xattr.h b/fsck/xattr.h
index 867349c..5f59e8e 100644
--- a/fsck/xattr.h
+++ b/fsck/xattr.h
@@ -200,4 +200,6 @@ static inline int f2fs_acl_count(int size)
F2FS_TOTAL_EXTRA_ATTR_SIZE / sizeof(__le32) - \
DEF_INLINE_RESERVED_SIZE - \
MIN_INLINE_DENTRY_SIZE / sizeof(__le32))
+#define MIN_INLINE_XATTR_SIZE \
+ (sizeof(struct f2fs_xattr_header) / sizeof(__le32))
#endif
--
2.49.0
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
next reply other threads:[~2026-06-16 9:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 9:48 Chao Yu via Linux-f2fs-devel [this message]
2026-06-16 9:48 ` [f2fs-dev] [PATCH 2/2] fsck.f2fs: add bounds checking for orphan entry_count Chao Yu via Linux-f2fs-devel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616094802.3107281-1-chao@kernel.org \
--to=linux-f2fs-devel@lists.sourceforge.net \
--cc=chao@kernel.org \
--cc=jaegeuk@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.