From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 44C143090F5 for ; Mon, 13 Apr 2026 16:26:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776097576; cv=none; b=ktNuh3BzR7n9vtQTjEMk3yfSK6gW55ux2mn311klZfDPdsj3HxHOZFuakVh5PpjQ91XVLuaEBVo82xfitD5ByZjKuTfxfesyiAahFUTxx8RCvqREBBiWvdRVb838SkoYAeQoCCIcWd+mkn1S56l1ullDXZFGB8wVKwHdsqKMvA8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776097576; c=relaxed/simple; bh=UvBwHEXHiHFNGnxPqoZMeJpTKwlwZoSPRv/z8O97M0o=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=W55EP/+2NAjESDk0idtpWS+opEYYMBz7f1pRmgw8AmpKdWppD5jpt2okLOa0+VD1rUA/M6FE1ores2YxsVa5u60pFi3TstYVm6uvD+tppmNQP3KywKQONpnhNYZmKUPrj8LDrlggRGxRsuniyx3AtwjyRYcUAqMqPpXyHnxRzoY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=pGqidcCn; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="pGqidcCn" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E4EC9C2BCB7; Mon, 13 Apr 2026 16:26:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1776097576; bh=UvBwHEXHiHFNGnxPqoZMeJpTKwlwZoSPRv/z8O97M0o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pGqidcCneD4O6kInIGi4Y43Ce9RS6HONSKQ8v3/zsEyF59sAAV7r8QINh4ExzbLRX vNTUe7/ghqGMJ+S/+R4NIDXnMgJk0GMOVUABqT8M4di6IcGyIiAjPAhtRKKPBa8sO+ UbLBeOscocr+fiASaTTUqYGoH0DO0cG0+Q57Rinioy0/fmou4wCoKDSsxW/N0n+n7b QIoJS+dv6Y/KV6XPav0K3dx3rxC7KB+EuDWuCDb8gklIYRB6O7v/eczMZE9rO3qN0P 4509teLGtWeeamHfA0dWHwJTsNC1HafCJ46SShBU7tRjQh7G4+O6xhyDB/XJFLj/My nm75ZtSvcrSQA== From: Sasha Levin To: stable@vger.kernel.org Cc: Deepanshu Kartikey , syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com, Joseph Qi , Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Jun Piao , Heming Zhao , Andrew Morton , Sasha Levin Subject: [PATCH 5.10.y 2/3] ocfs2: validate inline data i_size during inode read Date: Mon, 13 Apr 2026 12:26:10 -0400 Message-ID: <20260413162611.3289109-2-sashal@kernel.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413162611.3289109-1-sashal@kernel.org> References: <2026041354-dork-imperial-5aba@gregkh> <20260413162611.3289109-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Deepanshu Kartikey [ Upstream commit 1524af3685b35feac76662cc551cbc37bd14775f ] When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an inode's i_size can exceed the actual inline data capacity (id_count). This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data buffer, triggering a use-after-free when accessing directory entries from freed memory. In the syzbot report: - i_size was 1099511627576 bytes (~1TB) - Actual inline data capacity (id_count) is typically <256 bytes - A garbage rec_len (54648) caused ctx->pos to jump out of bounds - This triggered a UAF in ocfs2_check_dir_entry() Fix by adding a validation check in ocfs2_validate_inode_block() to ensure inodes with inline data have i_size <= id_count. This catches the corruption early during inode read and prevents all downstream code from operating on invalid data. Link: https://lkml.kernel.org/r/20251212052132.16750-1-kartikey406@gmail.com Signed-off-by: Deepanshu Kartikey Reported-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c897823f699449cc3eb4 Tested-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/20251211115231.3560028-1-kartikey406@gmail.com/T/ [v1] Link: https://lore.kernel.org/all/20251212040400.6377-1-kartikey406@gmail.com/T/ [v2] Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Cc: Heming Zhao Signed-off-by: Andrew Morton Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline") Signed-off-by: Sasha Levin --- fs/ocfs2/inode.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c index a25af01463cf6..a673d877291c7 100644 --- a/fs/ocfs2/inode.c +++ b/fs/ocfs2/inode.c @@ -1418,12 +1418,25 @@ int ocfs2_validate_inode_block(struct super_block *sb, goto bail; } - if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) && - le32_to_cpu(di->i_clusters)) { - rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n", - (unsigned long long)bh->b_blocknr, - le32_to_cpu(di->i_clusters)); - goto bail; + if (le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) { + struct ocfs2_inline_data *data = &di->id2.i_data; + + if (le32_to_cpu(di->i_clusters)) { + rc = ocfs2_error(sb, + "Invalid dinode %llu: %u clusters\n", + (unsigned long long)bh->b_blocknr, + le32_to_cpu(di->i_clusters)); + goto bail; + } + + if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) { + rc = ocfs2_error(sb, + "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n", + (unsigned long long)bh->b_blocknr, + (unsigned long long)le64_to_cpu(di->i_size), + le16_to_cpu(data->id_count)); + goto bail; + } } rc = 0; -- 2.53.0