[BUG] adfs: stack-out-of-bounds in adfs_dir_copyfrom+0x173/0x300 during getdents64()

[Hyungjung Joo]

Hello,

I am reporting a filesystem bug reproduced on current mainline with
KASAN enabled.

Target file: fs/adfs/dir_fplus.c
Subsystem: fs/adfs
Git head: 5ee8dbf54602dc340d6235b1d6aa17c0f283f48c
Kernel release: 7.0.0-rc2+

Root cause:
On F+ ADFS volumes, `adfs_fill_super()` selects `adfs_fplus_dir_ops`
when `dr->format_version` is non-zero. `adfs_fplus_validate_header()`
only validates aggregate directory geometry, but
`adfs_fplus_getnext()` trusts each entry's `bigdirobnamelen` and
`bigdirobnameptr`. It copies `bigdirobnamelen` bytes into `struct
object_info.name[260]` without checking `<= ADFS_MAX_NAME_LEN` or that
the per-entry offset/length pair stays within the declared names area,
so a crafted entry with length 261 or larger causes a stack
out-of-bounds write during directory iteration or lookup.

Reproducer
C reproducer: https://pastebin.com/raw/dNisuusg
KASAN full log: https://pastebin.com/raw/y2TZ2iQH
Kernel config: https://pastebin.com/raw/BdHAvXuF

Key config options:
- CONFIG_KASAN=y
- CONFIG_KASAN_GENERIC=y
- CONFIG_KASAN_MULTI_SHOT=y
- CONFIG_DEBUG_KERNEL=y
- CONFIG_FRAME_POINTER=y
- CONFIG_ADFS_FS=y
- CONFIG_BLK_DEV_LOOP=y
- CONFIG_KASAN_STACK=y

Brief KASAN call trace:
[   71.334335][  T144] BUG: KASAN: stack-out-of-bounds in
adfs_dir_copyfrom+0x173/0x300
[   71.334563][  T144] Write of size 261 at addr ffa0000001417aec by
task poc-bin/144
[   71.335206][  T144] Call Trace:
[   71.335273][  T144]  dump_stack_lvl+0x95/0x100
[   71.335320][  T144]  print_address_description.constprop.0+0x2c/0x3c0
[   71.335377][  T144]  print_report+0xb4/0x280
[   71.335482][  T144]  kasan_report+0xcf/0x140
[   71.335550][  T144]  kasan_check_range+0x3b/0x200
[   71.335575][  T144]  __asan_memcpy+0x3d/0x80
[   71.335598][  T144]  adfs_dir_copyfrom+0x173/0x300
[   71.335682][  T144]  adfs_fplus_getnext+0x360/0x500
[   71.335800][  T144]  adfs_fplus_iterate+0x1ac/0x2c0
[   71.336012][  T144]  adfs_iterate+0x196/0x480
[   71.336035][  T144]  iterate_dir+0x238/0xa80
[   71.336035][  T144]  __x64_sys_getdents64+0x132/0x240

Reproducibility notes:
- observed crash: stack-out-of-bounds in adfs_dir_copyfrom+0x173/0x300
during getdents64()
- rootfs mode: busybox
- guest /init runs the case-specific trigger binary automatically

If you need anything else, please let me know.
Thank you.

Best regards,
Hyungjung Joo, jhj140711@xxxxxxxxx