From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7B5B53CBE69 for ; Mon, 13 Apr 2026 15:35:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776094535; cv=none; b=U1YASukLuGy8YbSxFt2ffQO/9LrCIynydwqh5dCbbG8g/Fh1A0wegXYDgxygJspFFHzDf08SYU+xt65xlp7U4Ws0UEzvoxXrPRsLYPNNaGwaz+rLVhP34OYAAdMSGjOUAY/mhm67X+9AVZEVq8TSUToTvmYIKTraEZj7hHjgrUo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776094535; c=relaxed/simple; bh=acJMmu84WRwCwwdcrn1eHF+kLtmkQUdYojZypc9KkYE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Gg2q+I4U+O/SrYHhF+wEpviTap01hIQgmY0Ou1BxaQuz/IuL7xqXJtRAyHWwkJabKoPslQxsKaJjZ/oiAnnQ6P60ZsQJYqj+p6oi0FfAngEBgfn3Tii6h8/7/vsyzuTAwHNhor4J1HQmzYHsrHCIIlZYnd6kl5eIMeJzqSSR/bg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=r1DMUMum; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="r1DMUMum" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 15A38C2BCB6; Mon, 13 Apr 2026 15:35:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1776094535; bh=acJMmu84WRwCwwdcrn1eHF+kLtmkQUdYojZypc9KkYE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=r1DMUMumUS00lXvaGtT1gNJGetpaAKzGP4c3imCgoTXchbXczXJR2CuRSDSQFT1Sn cp9L56wD6xhhQbp7U6vS9CXpKa4PC7kln2/Ro6BtWVVxw6k81LWx2ck4VgAWtzyXSl n7Oza7mIa+fVy+Yv+a/IQq8gF1/uN4Rxadmh2zQgrnEeLrkzUCoIJ7C4eJo48UWN65 aSSZtA1g5GXb4pqzjg+ZsSofgXQ9Wveim5MqqrlsaeznBLQLLv08yK4oQrVnqfMTiV e5dwNomwjUlbS2uromMbZV3G8T1YKcQQkuE9zhwPDMeR0uwCJqTz9dTKviuW8qYwKu eWsYksDJY4Q7Q== From: Sasha Levin To: stable@vger.kernel.org Cc: Deepanshu Kartikey , syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com, Joseph Qi , Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Jun Piao , Heming Zhao , Andrew Morton , Sasha Levin Subject: [PATCH 6.6.y 2/3] ocfs2: validate inline data i_size during inode read Date: Mon, 13 Apr 2026 11:35:29 -0400 Message-ID: <20260413153531.3097531-2-sashal@kernel.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413153531.3097531-1-sashal@kernel.org> References: <2026041351-barbecue-conductor-c8e7@gregkh> <20260413153531.3097531-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Deepanshu Kartikey [ Upstream commit 1524af3685b35feac76662cc551cbc37bd14775f ] When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an inode's i_size can exceed the actual inline data capacity (id_count). This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data buffer, triggering a use-after-free when accessing directory entries from freed memory. In the syzbot report: - i_size was 1099511627576 bytes (~1TB) - Actual inline data capacity (id_count) is typically <256 bytes - A garbage rec_len (54648) caused ctx->pos to jump out of bounds - This triggered a UAF in ocfs2_check_dir_entry() Fix by adding a validation check in ocfs2_validate_inode_block() to ensure inodes with inline data have i_size <= id_count. This catches the corruption early during inode read and prevents all downstream code from operating on invalid data. Link: https://lkml.kernel.org/r/20251212052132.16750-1-kartikey406@gmail.com Signed-off-by: Deepanshu Kartikey Reported-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c897823f699449cc3eb4 Tested-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/20251211115231.3560028-1-kartikey406@gmail.com/T/ [v1] Link: https://lore.kernel.org/all/20251212040400.6377-1-kartikey406@gmail.com/T/ [v2] Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Cc: Heming Zhao Signed-off-by: Andrew Morton Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline") Signed-off-by: Sasha Levin --- fs/ocfs2/inode.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c index b8db6e3c53694..e614b5981ae2c 100644 --- a/fs/ocfs2/inode.c +++ b/fs/ocfs2/inode.c @@ -1419,12 +1419,25 @@ int ocfs2_validate_inode_block(struct super_block *sb, goto bail; } - if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) && - le32_to_cpu(di->i_clusters)) { - rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n", - (unsigned long long)bh->b_blocknr, - le32_to_cpu(di->i_clusters)); - goto bail; + if (le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) { + struct ocfs2_inline_data *data = &di->id2.i_data; + + if (le32_to_cpu(di->i_clusters)) { + rc = ocfs2_error(sb, + "Invalid dinode %llu: %u clusters\n", + (unsigned long long)bh->b_blocknr, + le32_to_cpu(di->i_clusters)); + goto bail; + } + + if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) { + rc = ocfs2_error(sb, + "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n", + (unsigned long long)bh->b_blocknr, + (unsigned long long)le64_to_cpu(di->i_size), + le16_to_cpu(data->id_count)); + goto bail; + } } rc = 0; -- 2.53.0