lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250702152304.GM9987@frogsfrogsfrogs> Date: Wed, 2 Jul 2025 08:23:04 -0700 From: "Darrick J. Wong" <djwong@...nel.org> To: Dmitry Antipov <dmantipov@...dex.ru> Cc: Theodore Ts'o <tytso@....edu>, Andreas Dilger <adilger.kernel@...ger.ca>, linux-ext4@...r.kernel.org, syzbot+5322c5c260eb44d209ed@...kaller.appspotmail.com Subject: Re: [PATCH] ext4: verify dirent offset in ext4_readdir() On Tue, Jul 01, 2025 at 05:11:41PM +0300, Dmitry Antipov wrote: > On a corrupted filesystem, an unexpectedly large invalid value > returned by 'ext4_rec_len_from_disk()' may cause 'ext4_readdir()' > to read the next dirent from an area beyond the corresponding > buffer head's data. At this point, an exact length of the dirent > is not known yet but it's possible to check whether the shortest > possible dirent will be read from within the bh's data at least. > > Reported-by: syzbot+5322c5c260eb44d209ed@...kaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=5322c5c260eb44d209ed > Signed-off-by: Dmitry Antipov <dmantipov@...dex.ru> > --- > fs/ext4/dir.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c > index d4164c507a90..8097016f69aa 100644 > --- a/fs/ext4/dir.c > +++ b/fs/ext4/dir.c > @@ -258,6 +258,12 @@ static int ext4_readdir(struct file *file, struct dir_context *ctx) > > while (ctx->pos < inode->i_size > && offset < sb->s_blocksize) { > + /* Ensure that at least the shortest possible > + * dirent will be read from within the bh's data. > + */ > + if (offset + offsetof(struct ext4_dir_entry_2, name) > + > bh->b_size) > + break; Why wouldn't you encode this check in __ext4_check_dir_entry and solve this problem for all the callsites? --D > de = (struct ext4_dir_entry_2 *) (bh->b_data + offset); > if (ext4_check_dir_entry(inode, file, de, bh, > bh->b_data, bh->b_size, > -- > 2.50.0 > >
Powered by blists - more mailing lists