From nobody Mon Jun 8 08:27:57 2026 Received: from mail-qv1-f43.google.com (mail-qv1-f43.google.com [209.85.219.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 665CB38D40E for ; Wed, 3 Jun 2026 15:49:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780501778; cv=none; b=ea7p0gqIrMObccpinnwlC3nG3o2wtyozY6Y/RxHo4paixlNqGdbWN8hqEbvj96P/dLVWzDtxMHXOFzlqwcR+DNlp87ywwDyv3cFtUcXsgFUfAmflLcPs1ZHnOOvHp6FhDO2Rm9ASPPXqVu1ieluPuEJFu9RkY7S/wEUhXGjwMmE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780501778; c=relaxed/simple; bh=TH1y5pZVHi8tVM0jm/z+qQT+70QUc9CV6cKQ9ensPXs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=YS7XIbIF6mANuf5HMRxsPNZ2KpBnhX11fNKRTMDdAgZlgaVBLIFzFQDPh2bmAcjtSvk1YY/YZqZjlIscmShruhrVp16IFEChGHcyxI283L8NH9NsnjOwikRnbKi4oD8qk4q8dOv0dKzC/vzZChGuGIZDICcGHvT1qGTJsFlf8II= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=trailofbits.com; spf=pass smtp.mailfrom=trailofbits.com; dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com header.b=NfSLKHcV; arc=none smtp.client-ip=209.85.219.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=trailofbits.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=trailofbits.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com header.b="NfSLKHcV" Received: by mail-qv1-f43.google.com with SMTP id 6a1803df08f44-8ccf181a52bso47877086d6.3 for ; Wed, 03 Jun 2026 08:49:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trailofbits.com; s=google; t=1780501776; x=1781106576; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Q7Bnzm+zoUq1PmybAub5hEImADXF9AGqvVXRPxWBhyo=; b=NfSLKHcVb59XwyW+KNtpPCq8UPFIGoqhXExTMpK9STonwBsmGawBuaeQf327Q98Qr1 lYcEBIp18tndXp2OD/75IY7duvRyrjEajzqATeHeLpqqYAflX9mJlcqLRw5HT0s2U43h q2gT7uSUY6V99lSB6LD59YgIGrfQ7HSxgj6b21QyW0kO8j0NjBPCtwzcZ6J4YsFrto0d 9yw2oBfHNnafhqJeXal8Vyu/6qlyG21vvRHGP1/KQAZMLUKVJf2AGp5tp4bXiNywCAxq KyzmdKityGwmNz0/I5Mz2asnWNa/hma/8N7HCys7/k2Onhng8AaWsOtWB4b3P+kDaYv5 sQOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780501776; x=1781106576; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Q7Bnzm+zoUq1PmybAub5hEImADXF9AGqvVXRPxWBhyo=; b=WLNYBQhZ5j6KG5m1cDmCvXhtmiAHPhm+E5a1h0NZi1Dig8JEyzWS3HYJekAdo/K9MC 1JebezucxVZipFMfNwn+koGyL4QR6u00cjtgIE3LzBsiZ+lBUcoXbIQZyd7uq3uZjB2V 8oBgR5HDAZPo0SgqbaUU5vmOAudUFsVk9guqEiimFO9QXzLoI8bkhdxJG+X0/EfLel2k 8mABkkUUCL5Yp8H6LLBupp7QWh0sebbNpRKUHpezEAokdiK5ARzUarvisRDxkAKhVlhz EN1d6goLc5QGaOBuh2fX8SoINE/A0YMqd2KtXe8oucPqjy2hfJz6N42J1eJfUGW2ZXmW y0qw== X-Forwarded-Encrypted: i=1; AFNElJ9Cb19DOl60ImMO5LshsrR5FvKB0EHhoB3kKKCHqOcnG5Eh8fvdBsdQVCCtOBW+8U2hqMDfImxrVPBTTQA=@vger.kernel.org X-Gm-Message-State: AOJu0YyK+VMyaqUtYzIIBXQLzZsuW671M6GWwY6Mf6zDr/gInFZepXr2 acCb0bFwiRSEmlgsZo1sjuQG76G6kXtbku/XgYWKz0OGviQAfDBRx5dNP4DjWRi6k4Q= X-Gm-Gg: Acq92OFf9U4Ji8r2e65f1/MIpZLBh8eek+3G4zRV5fF9avcx8D9bhDAEdNvrRK7MVY6 9HqcjpKRVgFsqN7cS4yNR3msrHAx91Z9/ezaP07PAriuUPCvvLjQn6WmBVG7pRVzHCENT7TQESu 4n9lfB/Uub93u5ReDsUzqh60OqZZtJOprYzn1BMXQjjPraZpMd5M15ix42ceaISRz/woGhQOS5C VBruy46wrvZjbUPQyOWm4tUZIs++rRi+dQbY8YwxhocfToaN+em7hRSy05/chrwnGS7vrDSnJaC kBR8wlGrMvQfOhBua65NMOtP9ND7572M5fjA3VMhLhtlKcD2RZAKxCRM1zaw9RUZjGzKA+agmkZ cFaVMSSx8ssTtw9IGq323rKSNzzGfpN/5wHCmZSEv6PbqdBPuyT/BIzgzikR81zMEOUPb7SLFFn H+JlzyWm3TwWRwoTZ5QuLRVXXhjbzmXmLwOSsyow== X-Received: by 2002:a05:6214:4302:b0:8cc:f899:bb79 with SMTP id 6a1803df08f44-8cece16246cmr54331596d6.46.1780501776353; Wed, 03 Jun 2026 08:49:36 -0700 (PDT) Received: from localhost ([161.35.96.86]) by smtp.gmail.com with UTF8SMTPSA id 6a1803df08f44-8cecd055181sm23176366d6.30.2026.06.03.08.49.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 03 Jun 2026 08:49:35 -0700 (PDT) From: Samuel Moelius To: Jaegeuk Kim Cc: Samuel Moelius , Chao Yu , linux-f2fs-devel@lists.sourceforge.net (open list:F2FS FILE SYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] f2fs: validate inline dentry name lengths before conversion Date: Wed, 3 Jun 2026 15:49:32 +0000 Message-ID: <20260603154933.16368-1-sam.moelius@trailofbits.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Inline dentry conversion copies names out of the inline dentry area before checking that each recorded name length fits in the available filename slots. A corrupted image can therefore make the conversion path read past the inline filename storage while building the regular dentry block. Validate each inline dentry name length against the inline filename area before copying it. Assisted-by: Codex:gpt-5.5-cyber-preview Signed-off-by: Samuel Moelius --- fs/f2fs/inline.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c index 7aabfc9b43cb..4584dfbe3fb8 100644 --- a/fs/f2fs/inline.c +++ b/fs/f2fs/inline.c @@ -507,6 +507,10 @@ static int f2fs_add_inline_entries(struct inode *dir, = void *inline_dentry) bit_pos++; continue; } + if (unlikely(le16_to_cpu(de->name_len) > F2FS_NAME_LEN || + bit_pos + GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)) > + d.max)) + return -EFSCORRUPTED; =20 /* * We only need the disk_name and hash to move the dentry. --=20 2.43.0