f2fs: validate dentry name length before lookup compares it

[PATCH] f2fs: validate dentry name length before lookup compares it

Samuel Moelius posted 1 patch 4 days, 15 hours ago

Download mbox

fs/f2fs/dir.c | 5 +++++
1 file changed, 5 insertions(+)

Expand all Fold all

[PATCH] f2fs: validate dentry name length before lookup compares it

Posted by Samuel Moelius 4 days, 15 hours ago

The f2fs dentry lookup path can use the on-disk name length before
checking that the name fits in the dentry filename area.  A corrupted
dentry can then make lookup read beyond the filename slots.

The bounds check needs to happen before any comparison that consumes
the name length from disk.

Reject dentries with invalid name lengths before comparing their names.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
 fs/f2fs/dir.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
index 38802ee2e40d..14161d5a1af0 100644
--- a/fs/f2fs/dir.c
+++ b/fs/f2fs/dir.c
@@ -249,6 +249,11 @@ struct f2fs_dir_entry *f2fs_find_target_dentry(const struct f2fs_dentry_ptr *d,
 			continue;
 		}
 
+		if (unlikely(le16_to_cpu(de->name_len) > F2FS_NAME_LEN ||
+			     bit_pos + GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)) >
+			     d->max))
+			return ERR_PTR(-EFSCORRUPTED);
+
 		if (!use_hash || de->hash_code == fname->hash) {
 			res = f2fs_match_name(d->inode, fname,
 					      d->filename[bit_pos],
-- 
2.43.0