Re: [PATCH] ocfs2: fix xattr array out-of-bounds in ocfs2_xa_remove_entry()

Next message: Matthew Maurer: "[PATCH] rust: Add support for feeding entropy to randomness pool"
Previous message: Hirokazu Honda: "Re: [PATCH v1] media: videobuf2: Allow applications customize data offsets of capture buffers"
In reply to: Swaraj Gaikwad: "[PATCH] ocfs2: fix xattr array out-of-bounds in ocfs2_xa_remove_entry()"
Next in thread: Heming Zhao: "Re: [PATCH] ocfs2: fix xattr array out-of-bounds in ocfs2_xa_remove_entry()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mark Fasheh

Date: Fri Dec 12 2025 - 18:18:18 EST

On Fri, Dec 12, 2025 at 5:36 AM Swaraj Gaikwad
<swarajgaikwad1925@xxxxxxxxx> wrote:
>
> Syzkaller reported an out-of-bounds access in ocfs2_xa_remove_entry(),
> triggered when removing an xattr entry.
>
> The root cause is that the original code decrements xh_count in-place using
> le16_add_cpu() before reading the updated count value into a local variable.
> However, due to the way the entry removal logic interacts with the array bounds
> checking (enforced by __counted_by(xh_count)), the stale count during subsequent
> operations leads to the out-of-bounds access during the removal process.
> This patch fixes the issue by reading the current count first, computing the
> decremented value locally, and then explicitly writing the updated count back to
> xh_count at the end of the function. This ensures the array bounds are correctly
> reflected throughout the entry removal without relying on in-place modification
> timing.
>
> The fix has been tested by reproducing the syzkaller crash report, which no longer
> triggers after applying the patch.
>
> Reported-by: syzbot+cf96bc82a588a27346a8@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com./bug?extid=cf96bc82a588a27346a8
> Signed-off-by: Swaraj Gaikwad <swarajgaikwad1925@xxxxxxxxx>

Reviewed-by: Mark Fasheh <mark@xxxxxxxxxx>