| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_4E83A7C006C212DC065509AAEEC86EC48C06@qq.com>
Date: Sun, 27 Oct 2024 16:54:44 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+0c99c3f90699936c1e77@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [ext4?] KASAN: use-after-free Write in ext4_insert_dentry
directory entry space is too smaller than file name?
#syz test
diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index 790db7eac6c2..cd1e1e8e0c04 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2098,15 +2098,19 @@ void ext4_insert_dentry(struct inode *dir,
if (de->inode) {
struct ext4_dir_entry_2 *de1 =
(struct ext4_dir_entry_2 *)((char *)de + nlen);
+ printk("old name: %s, old nl: %d, oonl: %d, %s\n", de->name, nlen, de->name_len, __func__);
de1->rec_len = ext4_rec_len_to_disk(rlen - nlen, buf_size);
de->rec_len = ext4_rec_len_to_disk(nlen, buf_size);
de = de1;
+ rlen = ext4_rec_len_from_disk(de->rec_len, buf_size);
}
de->file_type = EXT4_FT_UNKNOWN;
de->inode = cpu_to_le32(inode->i_ino);
ext4_set_de_type(inode->i_sb, de, inode->i_mode);
- de->name_len = fname_len(fname);
- memcpy(de->name, fname_name(fname), fname_len(fname));
+ de->name_len = min_t(int, fname_len(fname), rlen - 8);
+ printk("rec length: %d, buf_size: %d, old nl: %d, name length:%d, %s\n",
+ rlen, buf_size, nlen, fname_len(fname), __func__);
+ memcpy(de->name, fname_name(fname), de->name_len);
if (ext4_hash_in_dirent(dir)) {
struct dx_hash_info *hinfo = &fname->hinfo;
Powered by blists - more mailing lists