[PATCH v4 0/2] ocfs2: validate xattr metadata bounds
From: Cen Zhang
Date: Mon Jun 22 2026 - 09:03:46 EST
Hi,
This v4 rebases the series on current torvalds/master and reworks the
inline xattr part on top of the newly merged
ocfs2_xattr_ibody_lookup_header() helper.
Patch 1 extends the shared ibody helper with xattr entry name/value
bounds checks and calls it from ocfs2_validate_inode_block().
Patch 2 validates non-indexed external xattr blocks from
ocfs2_validate_xattr_block(). Indexed xattr buckets do not pass through
that validator, so their header and per-entry bounds are checked after
bucket ECC verification in ocfs2_read_xattr_bucket().
Both issues were reproduced with crafted OCFS2 images under KASAN.
Changes since v3:
- Rebase on current torvalds/master.
- Build on the newly merged ocfs2_xattr_ibody_lookup_header() helper
instead of adding a duplicate inline-header helper.
- Keep indexed bucket xh_entries[] bounded by the first bucket block,
while checking name/value offsets against the addressed bucket block.
Cen Zhang (2):
ocfs2: validate inline xattrs during inode block validation
ocfs2: validate external xattr entries when reading metadata
fs/ocfs2/inode.c | 4 +
fs/ocfs2/xattr.c | 192 +++++++++++++++++++++++++++++++++++++++++------
fs/ocfs2/xattr.h | 2 +
3 files changed, 177 insertions(+), 21 deletions(-)
--
2.43.0