From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 078C64028DF for ; Mon, 15 Jun 2026 15:24:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781537070; cv=none; b=E75LPxcVEvSpzrTB9Y4BG1EXk6PcXoVbw0Tr0/tGl7uYHlRaQI3DVyJKbUzJXiEHGm/ELNHcQyMXcyckKk1+cRxj5PnBsey82pP9nloIfwcm1w3vAlY+bK+HPFWIoZvN9dV591Y/ruyA3oKILRglNaQA5wcrZ7/087PqtvPmJ0g= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781537070; c=relaxed/simple; bh=egLWWr+kdVFuLTgEfPD2nXj742pL56qyHp6GE0aJ+Wc=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=nUNHW4lWZ8qo0c3A3r6piPHHuzi0L3fzjsAjQJrfO1gh5Xi6CbytSbY4qrQW0S2FAWLPpZFcL07r9GWYzSNKD3E9OipMVtSwArOwT6DeZB6Skt6LdDFL16two4ElQShP0dfJWKWtA25ir4MmkW9+XnI1DjGFjdl22AVlIsJU7Uc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=T51GH1SA; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="T51GH1SA" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A90261F000E9; Mon, 15 Jun 2026 15:24:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1781537068; bh=sUw57hAfo3ctu0mbRih9ftVfYzKpjB8gtMJX9LZvgwM=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=T51GH1SAMjYKFFr66UnuIyZMPmKULXYB8bXqBnCl17LijeUxinND6xoXUVsgEW+0E YnxW0UB81bOXT64Ms0I0Ieo4ftxxi6D3gXPnw3L1czNlxg04Mkww1R+6wDXH+r0trr uHDhbAKE03cuNT626S0I91oR/tySYjWYJMsXON+PV+nMHTzco2cctzlG7b3wz/1VGz ev1f7FpYgoQfXxcYzCgXqJIX9n3T91PYEwN1RX6RG/ZnoUc/dvHy3dHsD6j2XgjoLi Nktyvc5zTZleZ0FlmEeeOrYKOkNVZR7D9exz8knt0NBddebybfAjPi+A2K6o6tQhvc UzkpnBeyBxfUw== Date: Mon, 15 Jun 2026 15:24:27 +0000 From: Jaegeuk Kim To: Chao Yu Cc: Samuel Moelius , "open list:F2FS FILE SYSTEM" , open list Subject: Re: [PATCH] f2fs: validate inline dentry name lengths before conversion Message-ID: References: <20260603154933.16368-1-sam.moelius@trailofbits.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On 06/15, Chao Yu wrote: > On 6/3/26 23:49, Samuel Moelius wrote: > > Inline dentry conversion copies names out of the inline dentry area > > before checking that each recorded name length fits in the available > > filename slots. > > > > A corrupted image can therefore make the conversion path read past > > the inline filename storage while building the regular dentry block. > > > > Validate each inline dentry name length against the inline filename > > area before copying it. > > > > Assisted-by: Codex:gpt-5.5-cyber-preview > > Signed-off-by: Samuel Moelius > > --- > > fs/f2fs/inline.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c > > index 7aabfc9b43cb..4584dfbe3fb8 100644 > > --- a/fs/f2fs/inline.c > > +++ b/fs/f2fs/inline.c > > @@ -507,6 +507,10 @@ static int f2fs_add_inline_entries(struct inode *dir, void *inline_dentry) > > bit_pos++; > > continue; > > } > > + if (unlikely(le16_to_cpu(de->name_len) > F2FS_NAME_LEN || > > + bit_pos + GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)) > > > + d.max)) > > + return -EFSCORRUPTED; > > err = -EFSCORRUPTED; > goto punch_dentry_pages; Applied with it. > > Thanks, > > > > > /* > > * We only need the disk_name and hash to move the dentry. >