Re: [PATCH] ocfs2: fix xattr array out-of-bounds in ocfs2_xa_remove_entry()

[Heming Zhao]

On Fri, Dec 12, 2025 at 03:18:06PM -0800, Mark Fasheh wrote:
> On Fri, Dec 12, 2025 at 5:36 AM Swaraj Gaikwad
> <swarajgaikwad1925@xxxxxxxxx> wrote:
> >
> > Syzkaller reported an out-of-bounds access in ocfs2_xa_remove_entry(),
> > triggered when removing an xattr entry.
> >
> > The root cause is that the original code decrements xh_count in-place using
> > le16_add_cpu() before reading the updated count value into a local variable.
> > However, due to the way the entry removal logic interacts with the array bounds
> > checking (enforced by __counted_by(xh_count)), the stale count during subsequent
> > operations leads to the out-of-bounds access during the removal process.
> > This patch fixes the issue by reading the current count first, computing the
> > decremented value locally, and then explicitly writing the updated count back to
> > xh_count at the end of the function. This ensures the array bounds are correctly
> > reflected throughout the entry removal without relying on in-place modification
> > timing.
> >
> > The fix has been tested by reproducing the syzkaller crash report, which no longer
> > triggers after applying the patch.
> >
> > Reported-by: syzbot+cf96bc82a588a27346a8@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Closes: https://syzkaller.appspot.com./bug?extid=cf96bc82a588a27346a8
> > Signed-off-by: Swaraj Gaikwad <swarajgaikwad1925@xxxxxxxxx>
> 
> Reviewed-by: Mark Fasheh <mark@xxxxxxxxxx>
> 

Hi Swaraj and Mark

Dmitry Antipov has sent a patch to fix this issue, and the patch status has
been reviewed.

ref: https://lore.kernel.org/ocfs2-devel/5561c14a-9aaa-43b7-95f9-8428a2364f09@xxxxxxxxxxxxxxxxx/T/#u

Thanks,
Heming