Re: [PATCH] ocfs2: Avoid NULL pointer dereference in dx_dir_lookup_rec()

From: Heming Zhao
Date: Mon Jun 30 2025 - 03:23:24 EST

Next message: kernel test robot: "Re: [PATCH] fs/xfs: replace strncpy with strscpy"
Previous message: Baolin Wang: "Re: [PATCH v3 7/7] mm/shmem, swap: avoid false positive swap cache lookup"
In reply to: Joseph Qi: "Re: [PATCH] ocfs2: Avoid NULL pointer dereference in dx_dir_lookup_rec()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/30/25 14:58, Joseph Qi wrote:

On 2025/6/30 10:32, Heming Zhao wrote:

On 6/30/25 09:26, Joseph Qi wrote:

Hi,

On 2025/6/27 10:38, Ivan Pravdin wrote:

When a directory entry is not found, ocfs2_dx_dir_lookup_rec() prints an
error message that unconditionally dereferences the 'rec' pointer.
However, if 'rec' is NULL, this leads to a NULL pointer dereference and
a kernel panic.

This looks possible, but syzbot reports slab-out-of-bounds Read in
ocfs2_dx_dir_lookup_rec(), not NULL pointer dereference.

So I think it is because it construct a malicious image and set a wrong
l_recs, then access this damaged l_recs.

Thanks,
Joseph

I think this proposed fix (at least the fix method) is acceptable.

But this seems different from the issue syzbot reports, right?
https://lore.kernel.org/all/67483b75.050a0220.253251.007c.GAE@xxxxxxxxxx/T/

Thanks,
Joseph

OK, I think I may have found the problem. In the URL above,
there are two issues/reports:
1> From: syzbot @ 2024-11-28 9:44 UTC
2> From: syzbot @ 2025-03-09 11:40 UTC

Your review comments about report <1>; Ivan's patch is about report <2>.

And the dashboard shows the <2>:
- https://syzkaller.appspot.com/bug?extid=20282c1b2184a857ac4c

It seems syzbot changed the fuzz code and won't trigger issue <1>.

For issue <1>, the rec was an illegal value, and made KASAN report a bug.

the crash occurs at ocfs2_error(), where the pointer 'rec' must be incorrect.
look back at the previous code lines:
        for (i = le16_to_cpu(el->l_next_free_rec) - 1; i >= 0; i--) {
                rec = &el->l_recs[i];

                if (le32_to_cpu(rec->e_cpos) <= major_hash) {
                        found = 1;
                        break;
                }
        }

either 'el->l_next_free_rec' or 'el->l_recs[i]' has an incorrect value.
we can do nothing about this kind of error, simply returning errno to caller is sufficient.

btw, ocfs2-tools has a similar function "static errcode_t ocfs2_dx_dir_lookup_rec()"@libocfs2/dir_indexed.c, which sets ret with OCFS2_ET_CORRUPT_EXTENT_BLOCK and return.

Next message: kernel test robot: "Re: [PATCH] fs/xfs: replace strncpy with strscpy"
Previous message: Baolin Wang: "Re: [PATCH v3 7/7] mm/shmem, swap: avoid false positive swap cache lookup"
In reply to: Joseph Qi: "Re: [PATCH] ocfs2: Avoid NULL pointer dereference in dx_dir_lookup_rec()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]