1. Patchew
  2. linux
  3. View series

[PATCH v2 0/3] ocfs2: harden inode validators against forged metadata

Michael Bommarito posted 3 patches 5 days, 14 hours ago 
fs/ocfs2/inode.c | 151 ++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 149 insertions(+), 2 deletions(-)
[PATCH v2 0/3] ocfs2: harden inode validators against forged metadata
Posted by Michael Bommarito 5 days, 14 hours ago 
This series adds three structural checks to OCFS2 dinode validation so
malformed on-disk fields are rejected before ocfs2_populate_inode()
copies them into the in-core inode.

The checks cover:

  - i_mode values whose type bits do not name a canonical POSIX file
    type;
  - non-device dinodes whose id1.dev1.i_rdev field is non-zero; and
  - non-inline dinodes that claim non-zero i_size while i_clusters is
    zero, covering directories unconditionally and regular files on
    non-sparse volumes.

The normal read path reports these through ocfs2_error(), matching the
existing suballoc-slot, inline-data, chain-list, and refcount checks.
The online filecheck path uses the same structural predicates but keeps
its own reporting contract, returning OCFS2_FILECHECK_ERR_INVALIDINO
instead of calling ocfs2_error().

Validation from v1 still applies to the unchanged reachability model.

---

Changes in v2:

  - Patch 1 drops the tautological S_IFMT|07777 mask check and reuses
    fs_umode_to_ftype() for the canonical file-type predicate.
  - Patch 1 mirrors the i_mode check in the online filecheck path.
  - Patch 2 factors the i_rdev cross-check into a shared predicate.
  - Patch 2 mirrors the i_rdev check in the online filecheck path.
  - Patch 3 factors the size/cluster invariant into a shared predicate.
  - Patch 3 extends the zero-cluster rejection to non-inline
    directories, while preserving the sparse regular-file carveout.
  - Patch 3 mirrors the size/cluster check in the online filecheck path.
  - Patches 1 and 3 add Link trailers to the Sashiko review Andrew
    pointed out.

Testing after v2:

  - Replayed all three patches onto the original base, checked with
    checkpatch --strict, and applied cleanly with git am.
  - Rebuilt a fresh bzImage from the v2-applied tree.
  - Booted that v2 kernel five times under QEMU: sparse regular-file
    regression, non-sparse no-forge regression, forged non-canonical
    i_mode, forged non-device i_rdev, and forged non-zero i_size with
    zero i_clusters.
  - The three forged dinodes were rejected by
    ocfs2_validate_inode_block(); the two unforged regression cases
    completed without validator errors.

Michael Bommarito (3):
  ocfs2: reject dinodes with non-canonical i_mode type
  ocfs2: reject dinodes whose i_rdev disagrees with the file type
  ocfs2: reject non-inline dinodes with i_size and zero i_clusters

 fs/ocfs2/inode.c | 151 ++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 149 insertions(+), 2 deletions(-)

-- 
2.53.0

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.