Re: [ocfs2?] KASAN: use-after-free Read in __ocfs2_find_path

From: Lizhi Xu
Date: Thu Oct 10 2024 - 00:09:06 EST

Next message: Eric Dumazet: "Re: [net-next v5 1/9] net: napi: Make napi_defer_hard_irqs per-NAPI"
Previous message: Zizhi Wo: "Re: [PATCH 0/8] netfs/cachefiles: Some bugfixes"
In reply to: syzbot: "[syzbot] [ocfs2?] KASAN: use-after-free Read in __ocfs2_find_path"
Next in thread: syzbot: "Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in __ocfs2_find_path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Extent tree depth is never bigger than 256, because the high 8 bits cannot be used.

#syz test

diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
index f7672472fa82..2ca546af9191 100644
--- a/fs/ocfs2/extent_map.c
+++ b/fs/ocfs2/extent_map.c
@@ -415,6 +415,15 @@ static int ocfs2_get_clusters_nocache(struct inode *inode,
tree_height = le16_to_cpu(el->l_tree_depth);

if (tree_height > 0) {
+ if (tree_height > 256) {
+ ocfs2_error(inode->i_sb,
+ "Inode %lu has too big tree depth %d in leaf block %llu\n",
+ inode->i_ino,
+ tree_height,
+ (unsigned long long)di_bh->b_blocknr);
+ ret = -EROFS;
+ goto out;
+ }
ret = ocfs2_find_leaf(INODE_CACHE(inode), el, v_cluster,
&eb_bh);
if (ret) {

Next message: Eric Dumazet: "Re: [net-next v5 1/9] net: napi: Make napi_defer_hard_irqs per-NAPI"
Previous message: Zizhi Wo: "Re: [PATCH 0/8] netfs/cachefiles: Some bugfixes"
In reply to: syzbot: "[syzbot] [ocfs2?] KASAN: use-after-free Read in __ocfs2_find_path"
Next in thread: syzbot: "Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in __ocfs2_find_path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]