| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_6858E836EFAACEC478A26E8C2E216DE0950A@qq.com>
Date: Sun, 27 Oct 2024 12:53:24 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+0c99c3f90699936c1e77@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [ext4?] KASAN: use-after-free Write in ext4_insert_dentry
directory entry space is too smaller than file name?
#syz test
diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index 790db7eac6c2..cf11dcffe4bf 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2105,8 +2105,9 @@ void ext4_insert_dentry(struct inode *dir,
de->file_type = EXT4_FT_UNKNOWN;
de->inode = cpu_to_le32(inode->i_ino);
ext4_set_de_type(inode->i_sb, de, inode->i_mode);
- de->name_len = fname_len(fname);
- memcpy(de->name, fname_name(fname), fname_len(fname));
+ de->name_len = min_t(int, fname_len(fname), rlen - 8);
+ printk("rec length: %d, buf_size: %d, name length:%d, %s\n", rlen, buf_size, fname_len(fname), __func__);
+ memcpy(de->name, fname_name(fname), de->name_len);
if (ext4_hash_in_dirent(dir)) {
struct dx_hash_info *hinfo = &fname->hinfo;
Powered by blists - more mailing lists