fs/ocfs2/dir.c | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+)
[BUG]
A corrupted indexed directory can trigger a KASAN use-after-free in
ocfs2_dx_dir_lookup_rec() when the dx root or leaf extent list carries
an out-of-range l_count or l_next_free_rec value.
BUG: KASAN: use-after-free in ocfs2_dx_dir_lookup_rec+0x6f7/0x880 fs/ocfs2/dir.c:813
Read of size 4 at addr ffff888043b7b0e0 by task syz.0.3467/8031
Call Trace:
<TASK>
...
ocfs2_dx_dir_lookup_rec+0x6f7/0x880 fs/ocfs2/dir.c:813
ocfs2_dx_dir_lookup+0x100/0x5d0 fs/ocfs2/dir.c:868
ocfs2_dx_dir_search+0x7bc/0x11c0 fs/ocfs2/dir.c:928
ocfs2_find_entry_dx fs/ocfs2/dir.c:1042 [inline]
ocfs2_find_entry+0x97e/0xce0 fs/ocfs2/dir.c:1079
ocfs2_find_files_on_disk+0xa9/0x2f0 fs/ocfs2/dir.c:2002
ocfs2_lookup_ino_from_name+0xae/0x110 fs/ocfs2/dir.c:2024
ocfs2_lookup+0x45e/0x860 fs/ocfs2/namei.c:122
lookup_open.isra.0+0x4a2/0x1460 fs/namei.c:3774
open_last_lookups fs/namei.c:3895 [inline]
path_openat+0x11fe/0x2ce0 fs/namei.c:4131
do_filp_open+0x1f6/0x430 fs/namei.c:4161
do_sys_openat2+0x117/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x15b/0x220 fs/open.c:1463
...
[CAUSE]
ocfs2_dx_dir_lookup_rec() only checked for an empty extent list before
iterating over the directory index records. It did not verify that the
root dx list fits within a dx root block, or that the leaf list fits
within an extent block.
Comparing l_next_free_rec only against the on-disk l_count is also not
enough because l_count itself can be corrupted.
[FIX]
Validate both the dx root list and the leaf extent list against their
physical record capacities before indexing into l_recs[]. Use
ocfs2_extent_recs_per_dx_root() for the root and
ocfs2_extent_recs_per_eb() for the leaf block so the bounds check does
not trust on-disk sizing fields.
Fixes: 9b7895efac90 ("ocfs2: Add a name indexed b-tree to directory inodes")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
---
fs/ocfs2/dir.c | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
index b82fe4431eb1..3403c0d3810e 100644
--- a/fs/ocfs2/dir.c
+++ b/fs/ocfs2/dir.c
@@ -790,15 +790,25 @@ static int ocfs2_dx_dir_lookup_rec(struct inode *inode,
struct buffer_head *eb_bh = NULL;
struct ocfs2_extent_block *eb;
struct ocfs2_extent_rec *rec = NULL;
+ unsigned int max_recs;
- if (le16_to_cpu(el->l_count) !=
- ocfs2_extent_recs_per_dx_root(inode->i_sb)) {
+ max_recs = ocfs2_extent_recs_per_dx_root(inode->i_sb);
+ if (le16_to_cpu(el->l_count) != max_recs) {
ret = ocfs2_error(inode->i_sb,
"Inode %llu has invalid extent list length %u\n",
inode->i_ino, le16_to_cpu(el->l_count));
goto out;
}
+ if (le16_to_cpu(el->l_next_free_rec) > max_recs) {
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %llu has invalid dx root next free %u, max %u\n",
+ inode->i_ino,
+ le16_to_cpu(el->l_next_free_rec),
+ max_recs);
+ goto out;
+ }
+
if (el->l_tree_depth) {
ret = ocfs2_find_leaf(INODE_CACHE(inode), el, major_hash,
&eb_bh);
@@ -817,6 +827,27 @@ static int ocfs2_dx_dir_lookup_rec(struct inode *inode,
(unsigned long long)eb_bh->b_blocknr);
goto out;
}
+
+ max_recs = ocfs2_extent_recs_per_eb(inode->i_sb);
+ if (le16_to_cpu(el->l_count) != max_recs) {
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %llu has invalid tree block %llu list count %u, max %u\n",
+ inode->i_ino,
+ (unsigned long long)eb_bh->b_blocknr,
+ le16_to_cpu(el->l_count),
+ max_recs);
+ goto out;
+ }
+
+ if (le16_to_cpu(el->l_next_free_rec) > max_recs) {
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %llu has invalid tree block %llu next free %u, max %u\n",
+ inode->i_ino,
+ (unsigned long long)eb_bh->b_blocknr,
+ le16_to_cpu(el->l_next_free_rec),
+ max_recs);
+ goto out;
+ }
}
if (le16_to_cpu(el->l_next_free_rec) == 0) {© 2016 - 2026 Red Hat, Inc.