From nobody Mon Jun 8 08:27:59 2026 Received: from mail-qv1-f45.google.com (mail-qv1-f45.google.com [209.85.219.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8CFF03E315F for ; Wed, 3 Jun 2026 16:11:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780503092; cv=none; b=E5XSjcL4k4Od2AtKFzJL5PHvg7HED+SBqMcLQvO3IFcRpuc/tCus6cA4a0eJ98fDiOsYtTDg0MpgKiYQUBEgD31x8NvddZbJDRXM4jEUbpu2QGYe6dQTfv2vEZpl+VN6uu8X5pHS1FUAea6ohDxwyJr06Ad5FhCZ4JhAvwG1e7E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780503092; c=relaxed/simple; bh=7HJy/SMKT+Z0CwIVz3A2a5IAPA6dK9rMrvVjHSyyE5I=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=U59sTkp36/tGo0/Tk4S5AY51mrmRN2lrMD93KqzjHn2/wSif5gU/cLHniOIB8ECGwqb4dDspS1seC3EHhW5xjoXSZTzDkIfwPiEmt0f+SEsKrnT8ON7siLSz+pUmN+5TVJWByEY+z3m+RqP+PmIgS4HOfD+H9h4tDBmrZjsEVGM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=trailofbits.com; spf=pass smtp.mailfrom=trailofbits.com; dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com header.b=JWx+0q+m; arc=none smtp.client-ip=209.85.219.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=trailofbits.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=trailofbits.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com header.b="JWx+0q+m" Received: by mail-qv1-f45.google.com with SMTP id 6a1803df08f44-8ccce57762cso76414196d6.3 for ; Wed, 03 Jun 2026 09:11:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trailofbits.com; s=google; t=1780503090; x=1781107890; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=xNqB2JQWYAKjwg81Phk/lsiaycyc8892EHyx2k8tINw=; b=JWx+0q+mxSc/OWTm7T+Xe9cunNvfzJqqZMXoRbeDmnzBNI0kRgkptDud38G/rW6dYH ikq4io5LwBXHXoRNwwPD0CNwi1gaKL2RuHiJGF1kOiycpSorPzOahDlGf+qzmiFgpclr T6c9SgvU/8ZkLt1/fQpc+A5bU3laqVXCUSClxAS9nuoRQ/xw4sv+pWDcpmeQTX07RJ0K MtFS81AtbOpZbIU5LqM4Mkw1TJ2bctShTM9uu25L20h2maDPS1ERMoELwZsgn6S7/aEb ep8AlYjCZVavbdXRXzqLrsNBbLe7ZjdfivA9C1xBLOCIS9azRLOhxADO8rHZEbMoZFia sWXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780503090; x=1781107890; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=xNqB2JQWYAKjwg81Phk/lsiaycyc8892EHyx2k8tINw=; b=TPsbvZvWNatpS1BkhVlzZeY6xp5PbWL004BfFoRIWm5ofblnbMcgYfCkoZ9FOC1yV9 niRGdQlXPdHkRt7bxlaDur5SyOHkV3LjFV//CpPoWRJTMiTT+cpHDIndQEyAki474kOD ciTy/0ST5MsECtatxGAdnhb1uttl47uVjxI49d1YPbNPQkMaaaCZl6BiZxK6s8Pw/JYI dt+fj8uUgzzixUXEUm7jNbjt42R7myCYA9wKvPmQQJll0QLh0DI3BfhbXlBE58LHQkol XKCdvZ0eSC0gLLfVo9twt60IHpBPmEH0iqFEPISeiBVaqbamx5qEMvw9e2VarnEugs1x MlRg== X-Forwarded-Encrypted: i=1; AFNElJ9bjr1PKR2PKppwlmxJlWWLA6A3u0VvBVjjvpaCw0nH4biZgFHiXvdsejjyOQL7vSltx+bVKkHDe2F2Klo=@vger.kernel.org X-Gm-Message-State: AOJu0YxqYyotFHFlA27VmJXnPXzbN1HiIRaOEKiZUg6BfnGzLjIRxTa2 5/bsmql4Y/i984C7qPCEIUV1BF/b7Q47khtb96wFDiDaKDDfkhBgYuZQ/3b32oT9+2g= X-Gm-Gg: Acq92OE1MZnqXXuMUz+NRFXKC+298RuIX4UZIVdiQ4dyFsk/T95p7z365DjPlsp9fbi rAC620rS9z3pgwKi2eu4CO+K0sST0BmJAoWqHujKzwOLwbB8zSNIMyqK7Vu4rhoEASbdg8A6Ffi xPU/YYbPeFCl+QKvKPVHap+ICJ5ukTTHAN8KMGFmFs0oHOwPjRJqr6xDqTJ+xx0lEQv3KSmHQpd R7CPVHeLObDN4b3F1UrV/bNcNIQq4NM9+XfWWuAPVCnXV+vL9kxrSBfl6JCsgUB4sA4EoEp2zv5 OvU4L9E06eWFST7nU3JNvxo2rJPVx6ftkgAHFTVBHLnSx3TAxvTUXgPms4Tbf/QtaoV9qSRXZbK btMXT5wN5l3/aAZ8OMmQzfjpOFXxnME4aZ822+ML5uvGPRfPb95PG5d/Qv91GRWX05ya/YOdcYA qG3MTHyWUl4Fl2V6bi7mNHRq5B1kmCgKaglx/l1w== X-Received: by 2002:ad4:5c68:0:b0:8ce:9ecf:e92c with SMTP id 6a1803df08f44-8cecded8622mr58787436d6.15.1780503090189; Wed, 03 Jun 2026 09:11:30 -0700 (PDT) Received: from localhost ([161.35.96.86]) by smtp.gmail.com with UTF8SMTPSA id 6a1803df08f44-8ceccdcc968sm25080086d6.22.2026.06.03.09.11.29 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 03 Jun 2026 09:11:29 -0700 (PDT) From: Samuel Moelius To: Jaegeuk Kim Cc: Samuel Moelius , Chao Yu , linux-f2fs-devel@lists.sourceforge.net (open list:F2FS FILE SYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] f2fs: validate dentry name length before lookup compares it Date: Wed, 3 Jun 2026 16:11:26 +0000 Message-ID: <20260603161127.17464-1-sam.moelius@trailofbits.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The f2fs dentry lookup path can use the on-disk name length before checking that the name fits in the dentry filename area. A corrupted dentry can then make lookup read beyond the filename slots. The bounds check needs to happen before any comparison that consumes the name length from disk. Reject dentries with invalid name lengths before comparing their names. Assisted-by: Codex:gpt-5.5-cyber-preview Signed-off-by: Samuel Moelius --- fs/f2fs/dir.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c index 38802ee2e40d..14161d5a1af0 100644 --- a/fs/f2fs/dir.c +++ b/fs/f2fs/dir.c @@ -249,6 +249,11 @@ struct f2fs_dir_entry *f2fs_find_target_dentry(const s= truct f2fs_dentry_ptr *d, continue; } =20 + if (unlikely(le16_to_cpu(de->name_len) > F2FS_NAME_LEN || + bit_pos + GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)) > + d->max)) + return ERR_PTR(-EFSCORRUPTED); + if (!use_hash || de->hash_code =3D=3D fname->hash) { res =3D f2fs_match_name(d->inode, fname, d->filename[bit_pos], --=20 2.43.0