[PATCH 1/1] affs: bound hash_pos before table lookup in affs_readdir

Next message: osjin83: "[PATCH v3 0/4] staging: rtl8723bs: coding style cleanups for rtl8723b_phycfg.c"
Previous message: David Sterba: "[GIT PULL] AFFS fix for 7.1"
In reply to: David Sterba: "[GIT PULL] AFFS fix for 7.1"
Next in thread: pr-tracker-bot: "Re: [GIT PULL] AFFS fix for 7.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Sterba

Date: Thu Apr 09 2026 - 21:39:16 EST

From: Hyungjung Joo <jhj140711@xxxxxxxxx>

affs_readdir() decodes ctx->pos into hash_pos and chain_pos and then
dereferences AFFS_HEAD(dir_bh)->table[hash_pos] before validating
that hash_pos is within the runtime table bound. Treat out-of-range
positions as end-of-directory before the first table lookup.

Signed-off-by: Hyungjung Joo <jhj140711@xxxxxxxxx>
Reviewed-by: David Sterba <dsterba@xxxxxxxx>
Signed-off-by: David Sterba <dsterba@xxxxxxxx>
---
fs/affs/dir.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/fs/affs/dir.c b/fs/affs/dir.c
index 5c8d83387a39..075c18c4ccde 100644
--- a/fs/affs/dir.c
+++ b/fs/affs/dir.c
@@ -119,6 +119,8 @@ affs_readdir(struct file *file, struct dir_context *ctx)
pr_debug("readdir() left off=%d\n", ino);
goto inside;
}
+ if (hash_pos >= AFFS_SB(sb)->s_hashsize)
+ goto done;

ino = be32_to_cpu(AFFS_HEAD(dir_bh)->table[hash_pos]);
for (i = 0; ino && i < chain_pos; i++) {
--
2.51.0