| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250714033848.GC23343@mit.edu>
Date: Sun, 13 Jul 2025 23:38:48 -0400
From: "Theodore Ts'o" <tytso@....edu>
To: Dmitry Antipov <dmantipov@...dex.ru>
Cc: "Darrick J. Wong" <djwong@...nel.org>,
Andreas Dilger <adilger.kernel@...ger.ca>, linux-ext4@...r.kernel.org,
syzbot+5322c5c260eb44d209ed@...kaller.appspotmail.com
Subject: Re: [PATCH] ext4: verify dirent offset in ext4_readdir()
On Thu, Jul 03, 2025 at 12:54:06PM +0300, Dmitry Antipov wrote:
> On 7/2/25 6:23 PM, Darrick J. Wong wrote:
>
> > Why wouldn't you encode this check in __ext4_check_dir_entry and solve
> > this problem for all the callsites?
>
> Next thing to try indeed.
>
> BTW, looking through ext4_search_dir(), why the search doesn't
> actually start from the specified offset? I.e. shouldn't it be:
ext4_search_dir() always searches the entire directory block. The
offset is relative to the beginning of the directory, and it's used
only printing error messages so someone who is debugging a file system
failure knows where in the directory the corruption was found:
ext4_error_file(filp, function, line, bh->b_blocknr,
"bad entry in directory: %s - offset=%u, "
"inode=%u, rec_len=%d, size=%d fake=%d",
error_msg, offset, le32_to_cpu(de->inode),
rlen, size, fake);
Offset can (and very often will be) significanty larger tan the size
of search_buf, so
> + de = (struct ext4_dir_entry_2 *)search_buf + offset;
would be practcally guaranteed to induce an out-of-bounds read.
- Ted
Powered by blists - more mailing lists