From: syzbot <syzbot+77026564530dbc29b854@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] ocfs2: add validation for chain index in ocfs2_block_group_fill
Date: Tue, 14 Oct 2025 21:46:45 -0700 [thread overview]
Message-ID: <68ef2735.050a0220.1186a4.00a4.GAE@google.com> (raw)
In-Reply-To: <68ef030a.050a0220.91a22.022b.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] ocfs2: add validation for chain index in ocfs2_block_group_fill
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
Add validation to ensure my_chain index is within bounds before
accessing cl->cl_recs[] array. Without this check, a corrupted
filesystem with cl_count set to 0 can trigger an out-of-bounds
array access, detected by UBSAN.
The issue was exposed by commit aa545adbe491 ("ocfs2: annotate
flexible array members with __counted_by_le()"), which added
the __counted_by_le() annotation to cl_recs[], allowing UBSAN
to detect the out-of-bounds access.
UBSAN report:
UBSAN: array-index-out-of-bounds in fs/ocfs2/suballoc.c:380:22
index 0 is out of range for type 'struct ocfs2_chain_rec[]'
The fix adds an explicit bounds check at the start of
ocfs2_block_group_fill() to validate my_chain is less than
cl->cl_count before accessing the array, preventing the
out-of-bounds access and properly handling corrupted
filesystems.
Reported-by: syzbot+77026564530dbc29b854@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
Fixes: aa545adbe491 ("ocfs2: annotate flexible array members with __counted_by_le()")
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
fs/ocfs2/suballoc.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 6ac4dcd54588..dd58cc0f9838 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -353,6 +353,14 @@ static int ocfs2_block_group_fill(handle_t *handle,
struct ocfs2_super *osb = OCFS2_SB(alloc_inode->i_sb);
struct ocfs2_group_desc *bg = (struct ocfs2_group_desc *) bg_bh->b_data;
struct super_block * sb = alloc_inode->i_sb;
+
+ /* Validate chain index before accessing cl_recs array */
+ if (my_chain >= le16_to_cpu(cl->cl_count)) {
+ status = ocfs2_error(alloc_inode->i_sb,
+ "chain index %u out of range (count=%u)\n",
+ my_chain, le16_to_cpu(cl->cl_count));
+ goto bail;
+ }
if (((unsigned long long) bg_bh->b_blocknr) != group_blkno) {
status = ocfs2_error(alloc_inode->i_sb,
--
2.43.0
next prev parent reply other threads:[~2025-10-15 4:46 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-15 2:12 [syzbot] [ocfs2?] UBSAN: array-index-out-of-bounds in ocfs2_block_group_fill syzbot
2025-10-15 4:46 ` syzbot [this message]
2025-10-15 5:28 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 13863a59e410cab46d26751941980dc8f088b9b3 syzbot
2025-10-15 6:45 ` Forwarded: [PATCH] ocfs2: validate chain list count before use in ocfs2_reserve_suballoc_bits syzbot
2025-10-17 10:11 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2433b84761658ef123ae683508bc461b07c5b0f0 syzbot
2025-10-22 12:13 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 552c50713f273b494ac6c77052032a49bc9255e2 syzbot
2025-10-24 7:11 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y syzbot
2025-10-24 7:15 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.1.y syzbot
2025-10-24 7:15 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.12.y syzbot
2025-10-28 7:02 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fd57572253bc356330dbe5b233c2e1d8426c66fd syzbot
2025-10-28 10:40 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git linux-5.10.y syzbot
2025-10-28 10:41 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git linux-6.1.y syzbot
2025-10-28 10:42 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git linux-6.12.y syzbot
2025-10-28 18:19 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y syzbot
2025-10-28 18:21 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.1.y syzbot
2025-10-28 18:22 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.12.y syzbot
2025-10-29 6:21 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y syzbot
2025-10-29 6:25 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.1.y syzbot
2025-10-29 6:27 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.12.y syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68ef2735.050a0220.1186a4.00a4.GAE@google.com \
--to=syzbot+77026564530dbc29b854@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.