Re: [syzbot] [ext4?] KASAN: use-after-free Write in ext4_insert_dentry
From: Edward Adam Davis
Date: Sun Oct 27 2024 - 05:00:03 EST
directory entry space is too smaller than file name?
#syz test
diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index 790db7eac6c2..cd1e1e8e0c04 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2098,15 +2098,19 @@ void ext4_insert_dentry(struct inode *dir,
if (de->inode) {
struct ext4_dir_entry_2 *de1 =
(struct ext4_dir_entry_2 *)((char *)de + nlen);
+ printk("old name: %s, old nl: %d, oonl: %d, %s\n", de->name, nlen, de->name_len, __func__);
de1->rec_len = ext4_rec_len_to_disk(rlen - nlen, buf_size);
de->rec_len = ext4_rec_len_to_disk(nlen, buf_size);
de = de1;
+ rlen = ext4_rec_len_from_disk(de->rec_len, buf_size);
}
de->file_type = EXT4_FT_UNKNOWN;
de->inode = cpu_to_le32(inode->i_ino);
ext4_set_de_type(inode->i_sb, de, inode->i_mode);
- de->name_len = fname_len(fname);
- memcpy(de->name, fname_name(fname), fname_len(fname));
+ de->name_len = min_t(int, fname_len(fname), rlen - 8);
+ printk("rec length: %d, buf_size: %d, old nl: %d, name length:%d, %s\n",
+ rlen, buf_size, nlen, fname_len(fname), __func__);
+ memcpy(de->name, fname_name(fname), de->name_len);
if (ext4_hash_in_dirent(dir)) {
struct dx_hash_info *hinfo = &fname->hinfo;