From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 70328125A9 for ; Mon, 13 Apr 2026 15:50:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776095429; cv=none; b=XWPOidh42SKF0gddkPnGaH/zPdnw4KNEiK0hEb3sVu1oTMkVam6UmfD0Hr5fWJKlGP0JCiYqR8TiU0kdlgaxMv0sxAdnvHqcahIH+ZLqop2yoEYVpUhoEaXK8mmIPh5c+HbmSGVuVg5EttPAzrqw5Fx70tqjyPuINGdVx6BMuWE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776095429; c=relaxed/simple; bh=eCDpZ8/LdQKAfILwScHQRt+QkUpmBjhlbW0MLlwM7p8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=V8yMESAZ3OmqOzQmBxa4GgAhu1oc429Tr3HoJvW4GsBnTF9zYLd+pmsrc6lrviOZDUXYQ8ww8GSYjSGC7xEdtsZ8NRvBXgWy2aUm3DfbP2jDxc8zrNlWovP6WVjFy4dbMzjpOLv7b7gIaxWZeB/0viA0MXkUJw2FcUw57hhyCw8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=oEP43clO; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="oEP43clO" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1B83FC2BCB0; Mon, 13 Apr 2026 15:50:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1776095429; bh=eCDpZ8/LdQKAfILwScHQRt+QkUpmBjhlbW0MLlwM7p8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oEP43clOx2huspJytPHfSoL7/wejkit8AkyuGlFmvDpXQ/7cwAujBTraPaOvi8bCl 1J/ZsA0ZSc02iiJpdSU/pfwUg5aBk0oHeG3aNPZyyFshc/Z2Ek0n4e79eoHf6ZaNwJ gKVqdrHX1m05GJVMpCTmyyOy3xMxd0u1zjU9Ff+kiBD8shBEvcIy1chdQY7EL9C7qK TKcZOwQ154+GvLcWNc4ArGNWv+VnDewIUga4RYf/mjGOpabj//Innl+WL09NE5xgqO bFMD6xLhqiQSmZ3mZ1T2noIt2wFUkcP5YcwZ6XKn79RclHOQT5g5G3cnwwn0XVWmAa KaC+zzWw4RhvQ== From: Sasha Levin To: stable@vger.kernel.org Cc: Deepanshu Kartikey , syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com, Joseph Qi , Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Jun Piao , Heming Zhao , Andrew Morton , Sasha Levin Subject: [PATCH 5.15.y 2/3] ocfs2: validate inline data i_size during inode read Date: Mon, 13 Apr 2026 11:50:24 -0400 Message-ID: <20260413155025.3145781-2-sashal@kernel.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413155025.3145781-1-sashal@kernel.org> References: <2026041353-swimmer-skied-a346@gregkh> <20260413155025.3145781-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Deepanshu Kartikey [ Upstream commit 1524af3685b35feac76662cc551cbc37bd14775f ] When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an inode's i_size can exceed the actual inline data capacity (id_count). This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data buffer, triggering a use-after-free when accessing directory entries from freed memory. In the syzbot report: - i_size was 1099511627576 bytes (~1TB) - Actual inline data capacity (id_count) is typically <256 bytes - A garbage rec_len (54648) caused ctx->pos to jump out of bounds - This triggered a UAF in ocfs2_check_dir_entry() Fix by adding a validation check in ocfs2_validate_inode_block() to ensure inodes with inline data have i_size <= id_count. This catches the corruption early during inode read and prevents all downstream code from operating on invalid data. Link: https://lkml.kernel.org/r/20251212052132.16750-1-kartikey406@gmail.com Signed-off-by: Deepanshu Kartikey Reported-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c897823f699449cc3eb4 Tested-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/20251211115231.3560028-1-kartikey406@gmail.com/T/ [v1] Link: https://lore.kernel.org/all/20251212040400.6377-1-kartikey406@gmail.com/T/ [v2] Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Cc: Heming Zhao Signed-off-by: Andrew Morton Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline") Signed-off-by: Sasha Levin --- fs/ocfs2/inode.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c index f42fa45ccd67d..0c11e298ec282 100644 --- a/fs/ocfs2/inode.c +++ b/fs/ocfs2/inode.c @@ -1416,12 +1416,25 @@ int ocfs2_validate_inode_block(struct super_block *sb, goto bail; } - if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) && - le32_to_cpu(di->i_clusters)) { - rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n", - (unsigned long long)bh->b_blocknr, - le32_to_cpu(di->i_clusters)); - goto bail; + if (le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) { + struct ocfs2_inline_data *data = &di->id2.i_data; + + if (le32_to_cpu(di->i_clusters)) { + rc = ocfs2_error(sb, + "Invalid dinode %llu: %u clusters\n", + (unsigned long long)bh->b_blocknr, + le32_to_cpu(di->i_clusters)); + goto bail; + } + + if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) { + rc = ocfs2_error(sb, + "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n", + (unsigned long long)bh->b_blocknr, + (unsigned long long)le64_to_cpu(di->i_size), + le16_to_cpu(data->id_count)); + goto bail; + } } rc = 0; -- 2.53.0