Re: [PATCH] ocfs2: fix out-of-bounds write in ocfs2_write_end_inline

[Joseph Qi]

On 4/3/26 2:48 PM, Andrew Morton wrote:
> On Fri,  3 Apr 2026 14:38:30 +0800 Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx> wrote:
> 
>> KASAN reports a use-after-free write of 4086 bytes in
>> ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a
>> copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted
>> on a loop device. The actual bug is an out-of-bounds write past the
>> inode block buffer, not a true use-after-free. The write overflows into
>> an adjacent freed page, which KASAN reports as UAF.
>>
>> The root cause is that ocfs2_try_to_write_inline_data trusts the
>> on-disk id_count field to determine whether a write fits in inline
>> data. On a corrupted filesystem, id_count can exceed the physical
>> maximum inline data capacity, causing writes to overflow the inode
>> block buffer.
>>
>> Call trace (crash path):
>>
>>    vfs_copy_file_range (fs/read_write.c:1634)
>>      do_splice_direct
>>        splice_direct_to_actor
>>          iter_file_splice_write
>>            ocfs2_file_write_iter
>>              generic_perform_write
>>                ocfs2_write_end
>>                  ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949)
>>                    ocfs2_write_end_inline (fs/ocfs2/aops.c:1915)
>>                      memcpy_from_folio     <-- KASAN: write OOB
>>
>> So add id_count upper bound check in ocfs2_validate_inode_block() to
>> alongside the existing i_size check to fix it.
> 
> Thanks.
> 
>> --- a/fs/ocfs2/inode.c
>> +++ b/fs/ocfs2/inode.c
>> @@ -1505,6 +1505,16 @@ int ocfs2_validate_inode_block(struct super_block *sb,
>>  			goto bail;
>>  		}
>>  
>> +		if (le16_to_cpu(data->id_count) >
>> +		    ocfs2_max_inline_data_with_xattr(sb, di)) {
>> +			rc = ocfs2_error(sb,
>> +					 "Invalid dinode #%llu: inline data id_count %u exceeds max %d\n",
>> +					 (unsigned long long)bh->b_blocknr,
>> +					 le16_to_cpu(data->id_count),
>> +					 ocfs2_max_inline_data_with_xattr(sb, di));
>> +			goto bail;
>> +		}
>> +
>>  		if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) {
>>  			rc = ocfs2_error(sb,
>>  					 "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n",
> 
> Even though the surrounding code is from 2025 (1524af3685b35), I think
> this bug predates 1524af3685b35?
> 
> If so, I expect the -stable people will have trouble backporting this. 
> If so, they'll report it and shall ask for a reworked version.

This seems blame to a very old commit (perhaps 1afc32b95233?), since it
was designed to trust the on-disk block.
So I don't add a fixes tag for it.

Thanks,
Joseph