[PATCH] ocfs2: Add i_size check for dir

From: Edward Adam Davis
Date: Tue Aug 20 2024 - 08:14:16 EST

Next message: Zhongqiu Han: "[PATCH 2/2] usb: xhci: ext-caps: Use cpu_relax() when polling registers"
Previous message: Jeongjun Park: "[PATCH net,v6,0/2] net/smc: prevent NULL pointer dereference in txopt_get"
In reply to: syzbot: "Re: [syzbot] [ocfs2?] general protection fault in ocfs2_prepare_dir_for_insert"
Next in thread: Joseph Qi: "Re: [PATCH] ocfs2: Add i_size check for dir"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When the i_size of dir is too large, it will cause limit to overflow and
be less than de_buf, ultimately resulting in last_de not being initialized
and causing uaf issue.

Reported-and-tested-by: syzbot+5a64828fcc4c2ad9b04f@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
---
fs/ocfs2/dir.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
index d620d4c53c6f..c308dba6d213 100644
--- a/fs/ocfs2/dir.c
+++ b/fs/ocfs2/dir.c
@@ -3343,6 +3343,8 @@ static int ocfs2_find_dir_space_id(struct inode *dir, struct buffer_head *di_bh,
unsigned long offset = 0;
unsigned int rec_len, new_rec_len, free_space;

+ if (i_size_read(dir) > OCFS2_MAX_BLOCKSIZE)
+ return -EINVAL;
/*
* This calculates how many free bytes we'd have in block zero, should
* this function force expansion to an extent tree.
--
2.43.0

Next message: Zhongqiu Han: "[PATCH 2/2] usb: xhci: ext-caps: Use cpu_relax() when polling registers"
Previous message: Jeongjun Park: "[PATCH net,v6,0/2] net/smc: prevent NULL pointer dereference in txopt_get"
In reply to: syzbot: "Re: [syzbot] [ocfs2?] general protection fault in ocfs2_prepare_dir_for_insert"
Next in thread: Joseph Qi: "Re: [PATCH] ocfs2: Add i_size check for dir"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]