From: syzbot <syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] ocfs2: validate inline directory i_size during inode read
Date: Thu, 11 Dec 2025 01:27:39 -0800 [thread overview]
Message-ID: <693a8e8b.050a0220.4004e.02f8.GAE@google.com> (raw)
In-Reply-To: <693a631e.a70a0220.33cd7b.0028.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] ocfs2: validate inline directory i_size during inode read
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When reading an inode from disk, ocfs2_validate_inode_block() performs
various sanity checks but does not validate the size of inline
directories. If the filesystem is corrupted, an inline directory's
i_size can exceed the actual inline data capacity (id_count).
This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline
data buffer, triggering a use-after-free when accessing directory
entries from freed memory.
In the syzbot report:
- i_size was 1099511627576 bytes (~1TB)
- Actual inline data capacity (id_count) is typically <256 bytes
- A garbage rec_len (54648) caused ctx->pos to jump out of bounds
- This triggered a UAF in ocfs2_check_dir_entry()
Fix by adding a validation check in ocfs2_validate_inode_block() to
ensure inline directories have i_size <= id_count. This catches the
corruption early during inode read and prevents all downstream code
from operating on invalid data.
Reported-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c897823f699449cc3eb4
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
fs/ocfs2/inode.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
index 8340525e5589..9eb364bef5c3 100644
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1521,6 +1521,21 @@ int ocfs2_validate_inode_block(struct super_block *sb,
}
}
+ if (S_ISDIR(le16_to_cpu(di->i_mode)) &&
+ (di->i_dyn_features & cpu_to_le16(OCFS2_INLINE_DATA_FL))) {
+ struct ocfs2_inline_data *data = &di->id2.i_data;
+
+ if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) {
+ rc = ocfs2_error(sb,
+ "Invalid dinode #%llu: inline directory "
+ "i_size %llu exceeds id_count %u\n",
+ (unsigned long long)bh->b_blocknr,
+ (unsigned long long)le64_to_cpu(di->i_size),
+ le16_to_cpu(data->id_count));
+ goto bail;
+ }
+ }
+
rc = 0;
bail:
--
2.43.0
prev parent reply other threads:[~2025-12-11 9:27 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-11 6:22 [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_check_dir_entry syzbot
2025-12-11 8:06 ` Forwarded: [PATCH] ocfs2: fix use-after-free when reading a bad inode syzbot
2025-12-11 9:27 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=693a8e8b.050a0220.4004e.02f8.GAE@google.com \
--to=syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.