Re: [PATCH v3] ocfs2: validate inline xattr size and entry count in ocfs2_xattr_ibody_list
From: Deepanshu Kartikey
Date: Wed Nov 19 2025 - 20:36:45 EST
On Wed, Nov 19, 2025 at 9:06 PM Heming Zhao <heming.zhao@xxxxxxxx> wrote:
> The following patch code is LGTM, but I can't understand the meaning of above
> xh_cont:20041. Please show more details for the value 20041.
The value 20041 is the actual corrupted xh_count from the syzbot
reproducer's filesystem image.
> In my view,
> the sizeof(struct ocfs2_xattr_header) is 16 (by: 2+2+2+2+(4+2+2)+0)
> the sizeof(struct ocfs2_xattr_entry) is 16 (by: 4+2+1+1+8).
> when the inline_size is 256.
> the max number of entries for inline mode: (256-16) / 16 = 15.
> therefore, the xh_count of 22 (by: 15+7) corresponds to a value that is 7
> entries beyond the boundary.
You're absolutely right! I made an error in my commit message - the
max is 15 entries, not 7.
I'll send v4 with the corrected example using xh_count of 22 as you
suggested, which is clearer than the raw syzbot value of 20041.
Thanks for catching this!
Deepanshu