1. Patchew
  2. linux
  3. View series

[PATCH v2] ocfs2: validate l_tree_depth to avoid out-of-bounds access

Vasiliy Kovalev posted 1 patch 3 weeks, 5 days ago
There is a newer version of this series
fs/ocfs2/alloc.c | 8 ++++++++
1 file changed, 8 insertions(+)
[PATCH v2] ocfs2: validate l_tree_depth to avoid out-of-bounds access
Posted by Vasiliy Kovalev 3 weeks, 5 days ago 
The l_tree_depth field is 16-bit (__le16), but the actual
maximum depth is limited to OCFS2_MAX_PATH_DEPTH.

Add a check to prevent out-of-bounds access if l_tree_depth
has an invalid value, which may occur when reading from a
corrupted mounted disk [1].

Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
Reported-by: syzbot+66c146268dc88f4341fd@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=66c146268dc88f4341fd [1]
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---
v2: Restricted depth to OCFS2_MAX_PATH_DEPTH and moved the check
    to __ocfs2_find_path().
---
 fs/ocfs2/alloc.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index 4414743b638e8..cec8fc5cb8e87 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -1803,6 +1803,14 @@ static int __ocfs2_find_path(struct ocfs2_caching_info *ci,
 
 	el = root_el;
 	while (el->l_tree_depth) {
+		if (unlikely(le16_to_cpu(el->l_tree_depth) > OCFS2_MAX_PATH_DEPTH)) {
+			ocfs2_error(ocfs2_metadata_cache_get_super(ci),
+				    "Owner %llu has invalid tree depth %u in extent list\n",
+				    (unsigned long long)ocfs2_metadata_cache_owner(ci),
+				    le16_to_cpu(el->l_tree_depth));
+			ret = -EROFS;
+			goto out;
+		}
 		if (le16_to_cpu(el->l_next_free_rec) == 0) {
 			ocfs2_error(ocfs2_metadata_cache_get_super(ci),
 				    "Owner %llu has empty extent list at depth %u\n",
-- 
2.42.2
Re: [PATCH v2] ocfs2: validate l_tree_depth to avoid out-of-bounds access
Posted by Joseph Qi 3 weeks, 5 days ago 

On 2025/2/14 16:00, Vasiliy Kovalev wrote:
> The l_tree_depth field is 16-bit (__le16), but the actual
> maximum depth is limited to OCFS2_MAX_PATH_DEPTH.
> 
> Add a check to prevent out-of-bounds access if l_tree_depth
> has an invalid value, which may occur when reading from a
> corrupted mounted disk [1].
> 
> Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
> Reported-by: syzbot+66c146268dc88f4341fd@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=66c146268dc88f4341fd [1]
> Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
> ---
> v2: Restricted depth to OCFS2_MAX_PATH_DEPTH and moved the check
>     to __ocfs2_find_path().
> ---
>  fs/ocfs2/alloc.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
> index 4414743b638e8..cec8fc5cb8e87 100644
> --- a/fs/ocfs2/alloc.c
> +++ b/fs/ocfs2/alloc.c
> @@ -1803,6 +1803,14 @@ static int __ocfs2_find_path(struct ocfs2_caching_info *ci,
>  
>  	el = root_el;
>  	while (el->l_tree_depth) {
> +		if (unlikely(le16_to_cpu(el->l_tree_depth) > OCFS2_MAX_PATH_DEPTH)) {

More precisely, it's ">= OCFS2_MAX_PATH_DEPTH".

> +			ocfs2_error(ocfs2_metadata_cache_get_super(ci),
> +				    "Owner %llu has invalid tree depth %u in extent list\n",
> +				    (unsigned long long)ocfs2_metadata_cache_owner(ci),
> +				    le16_to_cpu(el->l_tree_depth));
> +			ret = -EROFS;
> +			goto out;
> +		}
>  		if (le16_to_cpu(el->l_next_free_rec) == 0) {
>  			ocfs2_error(ocfs2_metadata_cache_get_super(ci),
>  				    "Owner %llu has empty extent list at depth %u\n",
[PATCH v3] ocfs2: validate l_tree_depth to avoid out-of-bounds access
Posted by Vasiliy Kovalev 3 weeks, 5 days ago 
The l_tree_depth field is 16-bit (__le16), but the actual
maximum depth is limited to OCFS2_MAX_PATH_DEPTH.

Add a check to prevent out-of-bounds access if l_tree_depth
has an invalid value, which may occur when reading from a
corrupted mounted disk [1].

Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
Reported-by: syzbot+66c146268dc88f4341fd@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=66c146268dc88f4341fd [1]
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---
v3: Change the condition "> OCFS2_MAX_PATH_DEPTH" to ">= OCFS2_MAX_PATH_DEPTH"
v2: Restricted depth to OCFS2_MAX_PATH_DEPTH and moved the check
    to __ocfs2_find_path().
---
 fs/ocfs2/alloc.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index 4414743b638e8..cec8fc5cb8e87 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -1803,6 +1803,14 @@ static int __ocfs2_find_path(struct ocfs2_caching_info *ci,
 
 	el = root_el;
 	while (el->l_tree_depth) {
+		if (unlikely(le16_to_cpu(el->l_tree_depth) >= OCFS2_MAX_PATH_DEPTH)) {
+			ocfs2_error(ocfs2_metadata_cache_get_super(ci),
+				    "Owner %llu has invalid tree depth %u in extent list\n",
+				    (unsigned long long)ocfs2_metadata_cache_owner(ci),
+				    le16_to_cpu(el->l_tree_depth));
+			ret = -EROFS;
+			goto out;
+		}
 		if (le16_to_cpu(el->l_next_free_rec) == 0) {
 			ocfs2_error(ocfs2_metadata_cache_get_super(ci),
 				    "Owner %llu has empty extent list at depth %u\n",
-- 
2.42.2
Re: [PATCH v3] ocfs2: validate l_tree_depth to avoid out-of-bounds access
Posted by Joseph Qi 3 weeks, 5 days ago 

On 2025/2/14 16:49, Vasiliy Kovalev wrote:
> The l_tree_depth field is 16-bit (__le16), but the actual
> maximum depth is limited to OCFS2_MAX_PATH_DEPTH.
> 
> Add a check to prevent out-of-bounds access if l_tree_depth
> has an invalid value, which may occur when reading from a
> corrupted mounted disk [1].
> 
> Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
> Reported-by: syzbot+66c146268dc88f4341fd@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=66c146268dc88f4341fd [1]
> Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>

Looks fine.
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>

> ---
> v3: Change the condition "> OCFS2_MAX_PATH_DEPTH" to ">= OCFS2_MAX_PATH_DEPTH"
> v2: Restricted depth to OCFS2_MAX_PATH_DEPTH and moved the check
>     to __ocfs2_find_path().
> ---
>  fs/ocfs2/alloc.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
> index 4414743b638e8..cec8fc5cb8e87 100644
> --- a/fs/ocfs2/alloc.c
> +++ b/fs/ocfs2/alloc.c
> @@ -1803,6 +1803,14 @@ static int __ocfs2_find_path(struct ocfs2_caching_info *ci,
>  
>  	el = root_el;
>  	while (el->l_tree_depth) {
> +		if (unlikely(le16_to_cpu(el->l_tree_depth) >= OCFS2_MAX_PATH_DEPTH)) {
> +			ocfs2_error(ocfs2_metadata_cache_get_super(ci),
> +				    "Owner %llu has invalid tree depth %u in extent list\n",
> +				    (unsigned long long)ocfs2_metadata_cache_owner(ci),
> +				    le16_to_cpu(el->l_tree_depth));
> +			ret = -EROFS;
> +			goto out;
> +		}
>  		if (le16_to_cpu(el->l_next_free_rec) == 0) {
>  			ocfs2_error(ocfs2_metadata_cache_get_super(ci),
>  				    "Owner %llu has empty extent list at depth %u\n",

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.