From nobody Mon Jun 8 08:28:15 2026 Received: from mail-qt1-f176.google.com (mail-qt1-f176.google.com [209.85.160.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9456B1D95A3 for ; Wed, 3 Jun 2026 15:11:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780499508; cv=none; b=bro10I6Q18sAkOB/XxeUiXMQHGNjsYgJMI4jSTrJQ2HumunjFrSIKb3lgXvEPnkcCxeJgDyUukJWIqhPuxZkN/f9FjJOkXhZchsNc2TN3Vw+lSaXZP/7LV7xMkINaeOesN6cWTl7jb4CZRYNYJk+f+8ReY+EqHkGtz3ZmizRDMI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780499508; c=relaxed/simple; bh=MZC/e/ckq25E26ezGbuHVciH+M1BiYcT5gVJDjB4c+w=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=LPCgFnP1zzahdsvYtHR9N1MGpW+P3lznny6Quq7ic5Uq0qsb/4aVRievLg1FdwgFWAJou+1eG48ggo/VZnRK2vZ5n69Fw5dZTLb2cnOGU/IowXLFRVNANBFmAwh1bsOWR8Z+SpOa8Fal1y/FS66c2D8CNpZJgCRiwscXffy61YE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=trailofbits.com; spf=pass smtp.mailfrom=trailofbits.com; dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com header.b=jVe/jxYD; arc=none smtp.client-ip=209.85.160.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=trailofbits.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=trailofbits.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com header.b="jVe/jxYD" Received: by mail-qt1-f176.google.com with SMTP id d75a77b69052e-5176d4c14f5so15127721cf.0 for ; Wed, 03 Jun 2026 08:11:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trailofbits.com; s=google; t=1780499506; x=1781104306; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=EKhAC5B5dhqPh618bXTUN+M7rgwoP9aBvOyQLY4L2Sc=; b=jVe/jxYDl2y3JKFr8Rw0O5N1vjc2BYTWGYIBz7FkcvWjLYu2tTI5WMiLeUGQZe7Oaz qPna7nWcWTNGzi3ywrW3m8MLpHbpQUbwRSBLwtO3tMVEi0ok9aOs4rP49Yb68nTM5hae 3hP5Pqhi8pur9II0FMDp2sQjbRIaNYXhuLYxtH0uopnfqHJdB51dgTT/I1WerF0nrudA G0tQD7j931V5YFHo+EK7KBglo/idxmMD6213b35t/uOJVSI48A+F3vtm2ed3Bu1G3VQD xRwK0wao7Uw9IC1tAka0k74n6OLcUN2GgVqE38i74dWrjhI43TnJB3AIy79Uy0+K8g7r IB5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780499506; x=1781104306; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=EKhAC5B5dhqPh618bXTUN+M7rgwoP9aBvOyQLY4L2Sc=; b=H+uOsSauVHbTOXoo6fvInjJSi59Ojs7Kc6fVNL/1J/p7axVUE8z8O0F/RRG3pbFe2Q p7da230QdpgSdnekt/aPdzZWZNKAdbwDDfjQXMdMbufYGFmGVHtvnxomD0CajAkFBZhn t+QQmzHsWe+OpWfBAtOMEdkLSYnWvRbgNRE7flXbynzlxLbD6jmNj8WD7edaeakMQ61u ikyO47efjrA/OtV+rSVEYpSrZqlvltgdVB+Zvj1ptztD3yaC9s6xcShFtCNIlU+VWzMV TGnk4pgk0n89ICVxooCexRnUi/O0Dey7mLpYgF4olai6bcf69gtH4bvS0f2LdUsex8Ht z3+w== X-Forwarded-Encrypted: i=1; AFNElJ+yWPxRmfEsira22yfN7Kt18GqWaR8KOqk7oDqaQwNgq9f0Ug1k16uqUkqOfh4WMT/GeGndfmP53mkmzD0=@vger.kernel.org X-Gm-Message-State: AOJu0YwSK19YHk0AaYXBDCXlQ/5qEc70Gkx1uM1Bpo6vR5k+aJxMfJSk 61ry/vrdJNFE7nyuY4WVTxQeILdAgX+OaJJVhEfk51bi/glIr/vv/gqhsY54SEZCDo4= X-Gm-Gg: Acq92OH+o/YgwQbyyzv0yNgfuTg2CFHvNla4tKUUSDafIhbdH/xCmVd2a0ar4697wgH ljgHJuo6sJbFuw6ud34bzjtXb5dH/o7Df/TLkb4KZMgBou3cPRVpu6MysRZRcFNZb/V1S72y0Te 8NMlhXmcx7OAw3SMQmIXWRDHedpO6j/yD1OPW5DejxH07WSak7kwZpQezgOeNt/uTYw/d2RWCHa 5C9cjMnIrvstEZE7yD+86y/BoFIL/u3GuW7DSH/EThsA8zUPA9PkG5XtEci5Ls+BbrkILxjRPOw iOGjqdjXrDMb+LXD4S0nk0KVlP+RJLhFjeTqL0ykpRc57enibstXstb/+O1NmyvZ/FpcP2VVdaD jZpaxEG+KoaAbr/HUTK3pFGJZBjU16fBl2WczKMBLKGAjuhH1LfdoiaYa8qRbC/9rIvqkyPJ1mc Psspp3L9FaTxVmQ8rXAZB44V2egiTcD+i5xK2Nsw== X-Received: by 2002:ac8:598a:0:b0:517:7277:9362 with SMTP id d75a77b69052e-51778751a59mr51776541cf.48.1780499506595; Wed, 03 Jun 2026 08:11:46 -0700 (PDT) Received: from localhost ([161.35.96.86]) by smtp.gmail.com with UTF8SMTPSA id d75a77b69052e-51775dd2e53sm25387211cf.24.2026.06.03.08.11.45 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 03 Jun 2026 08:11:46 -0700 (PDT) From: Samuel Moelius X-Google-Original-From: Samuel Moelius To: Jaegeuk Kim Cc: Samuel Moelius , Chao Yu , linux-f2fs-devel@lists.sourceforge.net (open list:F2FS FILE SYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] f2fs: validate inline dentry name lengths before conversion Date: Wed, 3 Jun 2026 15:11:40 +0000 Message-ID: <20260603151141.15635-1-samuel.moelius@trailofbits.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Inline dentry conversion copies names out of the inline dentry area before checking that each recorded name length fits in the available filename slots. A corrupted image can therefore make the conversion path read past the inline filename storage while building the regular dentry block. Validate each inline dentry name length against the inline filename area before copying it. Assisted-by: Codex:gpt-5.5-cyber-preview Signed-off-by: Samuel Moelius --- fs/f2fs/inline.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c index 7aabfc9b43cb..4584dfbe3fb8 100644 --- a/fs/f2fs/inline.c +++ b/fs/f2fs/inline.c @@ -507,6 +507,10 @@ static int f2fs_add_inline_entries(struct inode *dir, = void *inline_dentry) bit_pos++; continue; } + if (unlikely(le16_to_cpu(de->name_len) > F2FS_NAME_LEN || + bit_pos + GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)) > + d.max)) + return -EFSCORRUPTED; =20 /* * We only need the disk_name and hash to move the dentry. --=20 2.43.0