| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f5qcns4xuba3r52cmqoiwdfveyv3xez7zhohq64ktcswjw2otk@qoqlu7ui5yp4>
Date: Sun, 29 Jun 2025 22:45:12 -0400
From: Ivan Pravdin <ipravdin.official@...il.com>
To: Heming Zhao <heming.zhao@...e.com>,
Joseph Qi <joseph.qi@...ux.alibaba.com>, mark@...heh.com, jlbec@...lplan.org, ocfs2-devel@...ts.linux.dev,
linux-kernel@...r.kernel.org
Cc: syzbot+20282c1b2184a857ac4c@...kaller.appspotmail.com
Subject: Re: [PATCH] ocfs2: Avoid NULL pointer dereference in
dx_dir_lookup_rec()
On Mon, Jun 30, 2025 at 10:32:35AM GMT, Heming Zhao wrote:
> On 6/30/25 09:26, Joseph Qi wrote:
> > Hi,
> >
> >
> > On 2025/6/27 10:38, Ivan Pravdin wrote:
> > > When a directory entry is not found, ocfs2_dx_dir_lookup_rec() prints an
> > > error message that unconditionally dereferences the 'rec' pointer.
> > > However, if 'rec' is NULL, this leads to a NULL pointer dereference and
> > > a kernel panic.
> > >
> >
> > This looks possible, but syzbot reports slab-out-of-bounds Read in
> > ocfs2_dx_dir_lookup_rec(), not NULL pointer dereference.
> >
> > So I think it is because it construct a malicious image and set a wrong
> > l_recs, then access this damaged l_recs.
> >
> > Thanks,
> > Joseph
>
> I think this proposed fix (at least the fix method) is acceptable.
> the crash occurs at ocfs2_error(), where the pointer 'rec' must be incorrect.
> look back at the previous code lines:
> for (i = le16_to_cpu(el->l_next_free_rec) - 1; i >= 0; i--) {
> rec = &el->l_recs[i];
>
> if (le32_to_cpu(rec->e_cpos) <= major_hash) {
> found = 1;
> break;
> }
> }
>
> either 'el->l_next_free_rec' or 'el->l_recs[i]' has an incorrect value.
> we can do nothing about this kind of error, simply returning errno to caller is sufficient.
>
> btw, ocfs2-tools has a similar function "static errcode_t ocfs2_dx_dir_lookup_rec()"@libocfs2/dir_indexed.c, which sets ret with OCFS2_ET_CORRUPT_EXTENT_BLOCK and return.
Thanks, I will include it in v2.
>
> - Heming
>
> >
> >
> > > Add an explicit check for a NULL 'rec' and use an alternate error
> > > message in that case to avoid unsafe access.
> > >
> > > Reported-by: syzbot+20282c1b2184a857ac4c@...kaller.appspotmail.com
> > > Closes: https://lore.kernel.org/all/67483b75.050a0220.253251.007c.GAE@google.com/T/
> > > Signed-off-by: Ivan Pravdin <ipravdin.official@...il.com>
> > > ---
> > > fs/ocfs2/dir.c | 16 +++++++++++-----
> > > 1 file changed, 11 insertions(+), 5 deletions(-)
> > >
> > > diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
> > > index 7799f4d16ce9..dccf0349e523 100644
> > > --- a/fs/ocfs2/dir.c
> > > +++ b/fs/ocfs2/dir.c
> > > @@ -809,11 +809,17 @@ static int ocfs2_dx_dir_lookup_rec(struct inode *inode,
> > > }
> > > if (!found) {
> > > - ret = ocfs2_error(inode->i_sb,
> > > - "Inode %lu has bad extent record (%u, %u, 0) in btree\n",
> > > - inode->i_ino,
> > > - le32_to_cpu(rec->e_cpos),
> > > - ocfs2_rec_clusters(el, rec));
> > > + if (rec) {
> > > + ret = ocfs2_error(inode->i_sb,
> > > + "Inode %lu has bad extent record (%u, %u, 0) in btree\n",
> > > + inode->i_ino,
> > > + le32_to_cpu(rec->e_cpos),
> > > + ocfs2_rec_clusters(el, rec));
> > > + } else {
> > > + ret = ocfs2_error(inode->i_sb,
> > > + "Inode %lu has no extent records in btree\n",
> > > + inode->i_ino);
> > > + }
> > > goto out;
> > > }
> >
> >
>
Ivan Pravdin
Powered by blists - more mailing lists