Re: [PATCH] exfat: bound uniname advance in exfat_find_dir_entry()

Next message: Julian Braha: "Re: [PATCH v1 3/4] ACPI: APEI: GHES: Add Grace and Vera KUnit coverage"
Previous message: Andrea della Porta: "[PATCH v5 3/3] arm64: dts: broadcom: rpi-5: Add RP1 PWM node"
In reply to: Bryam Vargas via B4 Relay: "[PATCH] exfat: bound uniname advance in exfat_find_dir_entry()"
Next in thread: Bryam Vargas: "Re: [PATCH] exfat: bound uniname advance in exfat_find_dir_entry()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Namjae Jeon

Date: Fri Jun 12 2026 - 10:04:29 EST

> diff --git a/fs/exfat/dir.c b/fs/exfat/dir.c
> index ac008ccaa97d..d4769a0f9978 100644
> --- a/fs/exfat/dir.c
> +++ b/fs/exfat/dir.c
> @@ -1043,6 +1043,11 @@ int exfat_find_dir_entry(struct super_block *sb, struct exfat_inode_info *ei,
> uniname += EXFAT_FILE_NAME_LEN;
>
> len = exfat_extract_uni_name(ep, entry_uniname);
> + if (uniname + len >
> + p_uniname->name + MAX_NAME_LENGTH) {
> + step = DIRENT_STEP_FILE;
> + continue;
> + }
uniname may already be outside the array before this check, so
pointer-base bounds check is not safe.
How about changing like this ?

+ unsigned int offset;

+ offset = (++order - 2) * EXFAT_FILE_NAME_LEN;
len = exfat_extract_uni_name(ep, entry_uniname);
brelse(bh);

+ if (offset > MAX_NAME_LENGTH ||
+ len > MAX_NAME_LENGTH - offset) {
+ step = DIRENT_STEP_FILE;
+ continue;
+ }

+ uniname = p_uniname->name + offset;
name_len += len;