Re: [PATCH] exfat: bound uniname advance in exfat_find_dir_entry()

Next message: Nhat Pham: "[RFC PATCH v2 0/7] mm, swap: Virtual Swap Space (Swap Table Edition)"
Previous message: Colton Lewis: "[PATCH 20/21] KVM: arm64: selftests: Add test case for Partitioned PMU"
In reply to: Namjae Jeon: "Re: [PATCH] exfat: bound uniname advance in exfat_find_dir_entry()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bryam Vargas

Date: Fri Jun 12 2026 - 15:37:39 EST

You're right -- by the time the check runs, uniname has already been advanced
by the previous iterations, so `uniname + len` forms a pointer past the end of
p_uniname->name[] (undefined behavior; the compiler is free to drop the check).
Bounding the integer offset before the pointer is formed is the correct fix.

v2 uses your form -- compute offset = (++order - 2) * EXFAT_FILE_NAME_LEN, reject
when offset > MAX_NAME_LENGTH || len > MAX_NAME_LENGTH - offset, and only then set
uniname = p_uniname->name + offset. Carried as Suggested-by: you.

I re-ran the KASAN repro with your version on the same crafted image (high
SecondaryCount of all-NUL name entries): the bound now rejects the walk at
order 20 (offset 270 > 255) before any out-of-bounds pointer is formed, the
lookup returns -ENOENT, and there is no KASAN report. A legitimate 255-character
name (17 * 15) still resolves -- offset reaches 240 on the last entry, len 15,
240 + 15 = 255, within bounds.

Posted as v2: https://lore.kernel.org/all/20260612-b4-disp-d3abc2b6-v2-1-93ec15095270@xxxxxxxxx/