| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_EC9ACDC0793A6F742D7D6FA094F0E96AEF0A@qq.com> Date: Tue, 20 Aug 2024 20:08:38 +0800 From: Edward Adam Davis <eadavis@...com> To: syzbot+5a64828fcc4c2ad9b04f@...kaller.appspotmail.com Cc: jlbec@...lplan.org, joseph.qi@...ux.alibaba.com, linux-kernel@...r.kernel.org, mark@...heh.com, ocfs2-devel@...ts.linux.dev, syzkaller-bugs@...glegroups.com Subject: [PATCH] ocfs2: Add i_size check for dir When the i_size of dir is too large, it will cause limit to overflow and be less than de_buf, ultimately resulting in last_de not being initialized and causing uaf issue. Reported-and-tested-by: syzbot+5a64828fcc4c2ad9b04f@...kaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@...com> --- fs/ocfs2/dir.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c index d620d4c53c6f..c308dba6d213 100644 --- a/fs/ocfs2/dir.c +++ b/fs/ocfs2/dir.c @@ -3343,6 +3343,8 @@ static int ocfs2_find_dir_space_id(struct inode *dir, struct buffer_head *di_bh, unsigned long offset = 0; unsigned int rec_len, new_rec_len, free_space; + if (i_size_read(dir) > OCFS2_MAX_BLOCKSIZE) + return -EINVAL; /* * This calculates how many free bytes we'd have in block zero, should * this function force expansion to an extent tree. -- 2.43.0
Powered by blists - more mailing lists