Re: [PATCH] ocfs2: validate dx extent list bounds during lookup

[Joseph Qi]

This makes ocfs2_dx_dir_lookup_rec() messy.
And I think the right place to do this check is ocfs2_validate_dx_root()
and ocfs2_validate_extent_block() during read from disk.
I'll rework it and send out later.

Thanks,
Joseph

On 4/1/26 9:39 AM, ZhengYuan Huang wrote:
> [BUG]
> A corrupted indexed directory can trigger a KASAN use-after-free in
> ocfs2_dx_dir_lookup_rec() when the dx root or leaf extent list carries
> an out-of-range l_count or l_next_free_rec value.
> 
> BUG: KASAN: use-after-free in ocfs2_dx_dir_lookup_rec+0x6f7/0x880 fs/ocfs2/dir.c:813
> Read of size 4 at addr ffff888043b7b0e0 by task syz.0.3467/8031
> 
> Call Trace:
>  <TASK>
>  ...
>  ocfs2_dx_dir_lookup_rec+0x6f7/0x880 fs/ocfs2/dir.c:813
>  ocfs2_dx_dir_lookup+0x100/0x5d0 fs/ocfs2/dir.c:868
>  ocfs2_dx_dir_search+0x7bc/0x11c0 fs/ocfs2/dir.c:928
>  ocfs2_find_entry_dx fs/ocfs2/dir.c:1042 [inline]
>  ocfs2_find_entry+0x97e/0xce0 fs/ocfs2/dir.c:1079
>  ocfs2_find_files_on_disk+0xa9/0x2f0 fs/ocfs2/dir.c:2002
>  ocfs2_lookup_ino_from_name+0xae/0x110 fs/ocfs2/dir.c:2024
>  ocfs2_lookup+0x45e/0x860 fs/ocfs2/namei.c:122
>  lookup_open.isra.0+0x4a2/0x1460 fs/namei.c:3774
>  open_last_lookups fs/namei.c:3895 [inline]
>  path_openat+0x11fe/0x2ce0 fs/namei.c:4131
>  do_filp_open+0x1f6/0x430 fs/namei.c:4161
>  do_sys_openat2+0x117/0x1c0 fs/open.c:1437
>  do_sys_open fs/open.c:1452 [inline]
>  __do_sys_openat fs/open.c:1468 [inline]
>  __se_sys_openat fs/open.c:1463 [inline]
>  __x64_sys_openat+0x15b/0x220 fs/open.c:1463
>  ...
> 
> [CAUSE]
> ocfs2_dx_dir_lookup_rec() only checked for an empty extent list before
> iterating over the directory index records. It did not verify that the
> root dx list fits within a dx root block, or that the leaf list fits
> within an extent block.
> 
> Comparing l_next_free_rec only against the on-disk l_count is also not
> enough because l_count itself can be corrupted.
> 
> [FIX]
> Validate both the dx root list and the leaf extent list against their
> physical record capacities before indexing into l_recs[]. Use
> ocfs2_extent_recs_per_dx_root() for the root and
> ocfs2_extent_recs_per_eb() for the leaf block so the bounds check does
> not trust on-disk sizing fields.
> 
> Fixes: 9b7895efac90 ("ocfs2: Add a name indexed b-tree to directory inodes")
> Signed-off-by: ZhengYuan Huang <gality369@xxxxxxxxx>
> ---
>  fs/ocfs2/dir.c | 41 +++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 41 insertions(+)
> 
> diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
> index b82fe4431eb1..3403c0d3810e 100644
> --- a/fs/ocfs2/dir.c
> +++ b/fs/ocfs2/dir.c
> @@ -790,15 +790,25 @@ static int ocfs2_dx_dir_lookup_rec(struct inode *inode,
>  	struct buffer_head *eb_bh = NULL;
>  	struct ocfs2_extent_block *eb;
>  	struct ocfs2_extent_rec *rec = NULL;
> +	unsigned int max_recs;
>  
> -	if (le16_to_cpu(el->l_count) !=
> -	    ocfs2_extent_recs_per_dx_root(inode->i_sb)) {
> +	max_recs = ocfs2_extent_recs_per_dx_root(inode->i_sb);
> +	if (le16_to_cpu(el->l_count) != max_recs) {
>  		ret = ocfs2_error(inode->i_sb,
>  				  "Inode %llu has invalid extent list length %u\n",
>  				  inode->i_ino, le16_to_cpu(el->l_count));
>  		goto out;
>  	}
>  
> +	if (le16_to_cpu(el->l_next_free_rec) > max_recs) {
> +		ret = ocfs2_error(inode->i_sb,
> +				  "Inode %llu has invalid dx root next free %u, max %u\n",
> +				  inode->i_ino,
> +				  le16_to_cpu(el->l_next_free_rec),
> +				  max_recs);
> +		goto out;
> +	}
> +
>  	if (el->l_tree_depth) {
>  		ret = ocfs2_find_leaf(INODE_CACHE(inode), el, major_hash,
>  				      &eb_bh);
> @@ -817,6 +827,27 @@ static int ocfs2_dx_dir_lookup_rec(struct inode *inode,
>  					  (unsigned long long)eb_bh->b_blocknr);
>  			goto out;
>  		}
> +
> +		max_recs = ocfs2_extent_recs_per_eb(inode->i_sb);
> +		if (le16_to_cpu(el->l_count) != max_recs) {
> +			ret = ocfs2_error(inode->i_sb,
> +					  "Inode %llu has invalid tree block %llu list count %u, max %u\n",
> +					  inode->i_ino,
> +					  (unsigned long long)eb_bh->b_blocknr,
> +					  le16_to_cpu(el->l_count),
> +					  max_recs);
> +			goto out;
> +		}
> +
> +		if (le16_to_cpu(el->l_next_free_rec) > max_recs) {
> +			ret = ocfs2_error(inode->i_sb,
> +					  "Inode %llu has invalid tree block %llu next free %u, max %u\n",
> +					  inode->i_ino,
> +					  (unsigned long long)eb_bh->b_blocknr,
> +					  le16_to_cpu(el->l_next_free_rec),
> +					  max_recs);
> +			goto out;
> +		}
>  	}
>  
>  	if (le16_to_cpu(el->l_next_free_rec) == 0) {