From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 078C64028DF for ; Mon, 15 Jun 2026 15:24:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781537070; cv=none; b=E75LPxcVEvSpzrTB9Y4BG1EXk6PcXoVbw0Tr0/tGl7uYHlRaQI3DVyJKbUzJXiEHGm/ELNHcQyMXcyckKk1+cRxj5PnBsey82pP9nloIfwcm1w3vAlY+bK+HPFWIoZvN9dV591Y/ruyA3oKILRglNaQA5wcrZ7/087PqtvPmJ0g= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781537070; c=relaxed/simple; bh=egLWWr+kdVFuLTgEfPD2nXj742pL56qyHp6GE0aJ+Wc=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=nUNHW4lWZ8qo0c3A3r6piPHHuzi0L3fzjsAjQJrfO1gh5Xi6CbytSbY4qrQW0S2FAWLPpZFcL07r9GWYzSNKD3E9OipMVtSwArOwT6DeZB6Skt6LdDFL16two4ElQShP0dfJWKWtA25ir4MmkW9+XnI1DjGFjdl22AVlIsJU7Uc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=T51GH1SA; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="T51GH1SA" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A90261F000E9; Mon, 15 Jun 2026 15:24:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1781537068; bh=sUw57hAfo3ctu0mbRih9ftVfYzKpjB8gtMJX9LZvgwM=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=T51GH1SAMjYKFFr66UnuIyZMPmKULXYB8bXqBnCl17LijeUxinND6xoXUVsgEW+0E YnxW0UB81bOXT64Ms0I0Ieo4ftxxi6D3gXPnw3L1czNlxg04Mkww1R+6wDXH+r0trr uHDhbAKE03cuNT626S0I91oR/tySYjWYJMsXON+PV+nMHTzco2cctzlG7b3wz/1VGz ev1f7FpYgoQfXxcYzCgXqJIX9n3T91PYEwN1RX6RG/ZnoUc/dvHy3dHsD6j2XgjoLi Nktyvc5zTZleZ0FlmEeeOrYKOkNVZR7D9exz8knt0NBddebybfAjPi+A2K6o6tQhvc UzkpnBeyBxfUw== Date: Mon, 15 Jun 2026 15:24:27 +0000 From: Jaegeuk Kim To: Chao Yu Cc: Samuel Moelius , "open list:F2FS FILE SYSTEM" , open list Subject: Re: [PATCH] f2fs: validate inline dentry name lengths before conversion Message-ID: References: <20260603154933.16368-1-sam.moelius@trailofbits.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On 06/15, Chao Yu wrote: > On 6/3/26 23:49, Samuel Moelius wrote: > > Inline dentry conversion copies names out of the inline dentry area > > before checking that each recorded name length fits in the available > > filename slots. > > > > A corrupted image can therefore make the conversion path read past > > the inline filename storage while building the regular dentry block. > > > > Validate each inline dentry name length against the inline filename > > area before copying it. > > > > Assisted-by: Codex:gpt-5.5-cyber-preview > > Signed-off-by: Samuel Moelius > > --- > > fs/f2fs/inline.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c > > index 7aabfc9b43cb..4584dfbe3fb8 100644 > > --- a/fs/f2fs/inline.c > > +++ b/fs/f2fs/inline.c > > @@ -507,6 +507,10 @@ static int f2fs_add_inline_entries(struct inode *dir, void *inline_dentry) > > bit_pos++; > > continue; > > } > > + if (unlikely(le16_to_cpu(de->name_len) > F2FS_NAME_LEN || > > + bit_pos + GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)) > > > + d.max)) > > + return -EFSCORRUPTED; > > err = -EFSCORRUPTED; > goto punch_dentry_pages; Applied with it. > > Thanks, > > > > > /* > > * We only need the disk_name and hash to move the dentry. > From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.sourceforge.net (lists.sourceforge.net [216.105.38.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id F3D31CD98C5 for ; Mon, 15 Jun 2026 15:24:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: Reply-To:From:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Subject:In-Reply-To:MIME-Version:References: Message-ID:To:Date:Sender:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=C98mCMVD9o1eKXGnEYVjTIsWnXaS7ZXyB+toXQ20+nk=; b=QqdaituxLga/9G1kQ6lt8qPffc 2BnX2bpX6+ID1vDQ7it6EusLZMkmUaG758BnvE1gzm7SD5AlbhY3Ii5feY4ZsgnJLY2l1e+/xmYAZ olYzlvQhny+mswaTPdziN7IBvn0P4WS7yPYgV92LnEhzMaH32JTrrqwNCX0sW5wK7zDE=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wZ9Az-0000FL-EM; Mon, 15 Jun 2026 15:24:37 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wZ9Ay-0000FC-E8 for linux-f2fs-devel@lists.sourceforge.net; Mon, 15 Jun 2026 15:24:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=In-Reply-To:Content-Type:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=sUw57hAfo3ctu0mbRih9ftVfYzKpjB8gtMJX9LZvgwM=; b=PVerCcxYUlQMmnoabSeD5dIg0/ 8xPA+m7OXHoCtUUlM4P7a7z1INJJgKt8vXsDgsf/ZH3RArAVADlP5icPnTozug/o0YYPQfhqdecpL bPkQfk26SeLAioVeWxS1AbTalXot50KbqApFN0oGDUgDtayNYTrqZFERvf7GpmdiwwY0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To :From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=sUw57hAfo3ctu0mbRih9ftVfYzKpjB8gtMJX9LZvgwM=; b=Ce7cCX03tfF+BgQQqFKE0iE62r UwrANrDMtUWGk42xToLCMMlnwvO+6PGLvgw0Cdbb0jal5bK3dk0UPUKRBQ5mLm583OBEXnIWLnoiO 3mRwhY+lkMTTNE/UDO2hndhU8Md0B3x289sYl4W3t1/hbNcNFz50J59w2cBLm85N9hKk=; Received: from tor.source.kernel.org ([172.105.4.254]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wZ9Aw-0001au-B8 for linux-f2fs-devel@lists.sourceforge.net; Mon, 15 Jun 2026 15:24:36 +0000 Received: from smtp.kernel.org (quasi.space.kernel.org [100.103.45.18]) by tor.source.kernel.org (Postfix) with ESMTP id 219B5600AB; Mon, 15 Jun 2026 15:24:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A90261F000E9; Mon, 15 Jun 2026 15:24:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1781537068; bh=sUw57hAfo3ctu0mbRih9ftVfYzKpjB8gtMJX9LZvgwM=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=T51GH1SAMjYKFFr66UnuIyZMPmKULXYB8bXqBnCl17LijeUxinND6xoXUVsgEW+0E YnxW0UB81bOXT64Ms0I0Ieo4ftxxi6D3gXPnw3L1czNlxg04Mkww1R+6wDXH+r0trr uHDhbAKE03cuNT626S0I91oR/tySYjWYJMsXON+PV+nMHTzco2cctzlG7b3wz/1VGz ev1f7FpYgoQfXxcYzCgXqJIX9n3T91PYEwN1RX6RG/ZnoUc/dvHy3dHsD6j2XgjoLi Nktyvc5zTZleZ0FlmEeeOrYKOkNVZR7D9exz8knt0NBddebybfAjPi+A2K6o6tQhvc UzkpnBeyBxfUw== Date: Mon, 15 Jun 2026 15:24:27 +0000 To: Chao Yu Message-ID: References: <20260603154933.16368-1-sam.moelius@trailofbits.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Headers-End: 1wZ9Aw-0001au-B8 Subject: Re: [f2fs-dev] [PATCH] f2fs: validate inline dentry name lengths before conversion X-BeenThere: linux-f2fs-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Jaegeuk Kim via Linux-f2fs-devel Reply-To: Jaegeuk Kim Cc: open list , Samuel Moelius , "open list:F2FS FILE SYSTEM" Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: linux-f2fs-devel-bounces@lists.sourceforge.net On 06/15, Chao Yu wrote: > On 6/3/26 23:49, Samuel Moelius wrote: > > Inline dentry conversion copies names out of the inline dentry area > > before checking that each recorded name length fits in the available > > filename slots. > > > > A corrupted image can therefore make the conversion path read past > > the inline filename storage while building the regular dentry block. > > > > Validate each inline dentry name length against the inline filename > > area before copying it. > > > > Assisted-by: Codex:gpt-5.5-cyber-preview > > Signed-off-by: Samuel Moelius > > --- > > fs/f2fs/inline.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c > > index 7aabfc9b43cb..4584dfbe3fb8 100644 > > --- a/fs/f2fs/inline.c > > +++ b/fs/f2fs/inline.c > > @@ -507,6 +507,10 @@ static int f2fs_add_inline_entries(struct inode *dir, void *inline_dentry) > > bit_pos++; > > continue; > > } > > + if (unlikely(le16_to_cpu(de->name_len) > F2FS_NAME_LEN || > > + bit_pos + GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)) > > > + d.max)) > > + return -EFSCORRUPTED; > > err = -EFSCORRUPTED; > goto punch_dentry_pages; Applied with it. > > Thanks, > > > > > /* > > * We only need the disk_name and hash to move the dentry. > _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel