| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <205e0d29-2567-4d82-a024-a8e7826d9f18@linux.alibaba.com> Date: Tue, 20 Aug 2024 20:44:37 +0800 From: Joseph Qi <joseph.qi@...ux.alibaba.com> To: Edward Adam Davis <eadavis@...com>, syzbot+5a64828fcc4c2ad9b04f@...kaller.appspotmail.com Cc: jlbec@...lplan.org, linux-kernel@...r.kernel.org, mark@...heh.com, ocfs2-devel@...ts.linux.dev, syzkaller-bugs@...glegroups.com Subject: Re: [PATCH] ocfs2: Add i_size check for dir On 8/20/24 8:08 PM, Edward Adam Davis wrote: > When the i_size of dir is too large, it will cause limit to overflow and > be less than de_buf, ultimately resulting in last_de not being initialized > and causing uaf issue. > > Reported-and-tested-by: syzbot+5a64828fcc4c2ad9b04f@...kaller.appspotmail.com > Signed-off-by: Edward Adam Davis <eadavis@...com> > --- > fs/ocfs2/dir.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c > index d620d4c53c6f..c308dba6d213 100644 > --- a/fs/ocfs2/dir.c > +++ b/fs/ocfs2/dir.c > @@ -3343,6 +3343,8 @@ static int ocfs2_find_dir_space_id(struct inode *dir, struct buffer_head *di_bh, > unsigned long offset = 0; > unsigned int rec_len, new_rec_len, free_space; > > + if (i_size_read(dir) > OCFS2_MAX_BLOCKSIZE) > + return -EINVAL; Why OCFS2_MAX_BLOCKSIZE? It seems that this is caused by a corrupted dir inode, since this is an inline case, we may try best to make sure it won't exceeds block size? i.e. dir->i_sb->s_blocksize. Thanks, Joseph > /* > * This calculates how many free bytes we'd have in block zero, should > * this function force expansion to an extent tree.
Powered by blists - more mailing lists