lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <203f104b-40b5-4513-bd86-0dfa2bd24de4@linux.alibaba.com>
Date: Wed, 2 Jul 2025 14:40:36 +0800
From: Joseph Qi <joseph.qi@...ux.alibaba.com>
To: Ivan Pravdin <ipravdin.official@...il.com>, mark@...heh.com,
 jlbec@...lplan.org, ocfs2-devel@...ts.linux.dev, linux-kernel@...r.kernel.org
Cc: syzbot+20282c1b2184a857ac4c@...kaller.appspotmail.com
Subject: Re: [PATCH v2] ocfs2: Avoid NULL pointer dereference in
 dx_dir_lookup_rec()



On 2025/7/1 10:37, Ivan Pravdin wrote:
> When a directory entry is not found, ocfs2_dx_dir_lookup_rec() prints an
> error message that unconditionally dereferences the 'rec' pointer.
> However, if 'rec' is NULL, this leads to a NULL pointer dereference and
> a kernel panic.
> 
> Add an explicit check for a NULL 'rec' and use an alternate error
> message in that case to avoid unsafe access.
> 
> Reported-by: syzbot+20282c1b2184a857ac4c@...kaller.appspotmail.com
> Closes: https://lore.kernel.org/all/67cd7e29.050a0220.e1a89.0007.GAE@google.com/
> Signed-off-by: Ivan Pravdin <ipravdin.official@...il.com>
> ---
> v1 -> v2: Changed 'Closes:' tag to point to the correct bug report.
> 
>  fs/ocfs2/dir.c | 16 +++++++++++-----
>  1 file changed, 11 insertions(+), 5 deletions(-)
> 
> diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
> index 7799f4d16ce9..dccf0349e523 100644
> --- a/fs/ocfs2/dir.c
> +++ b/fs/ocfs2/dir.c
> @@ -809,11 +809,17 @@ static int ocfs2_dx_dir_lookup_rec(struct inode *inode,
>  	}
>  
>  	if (!found) {
> -		ret = ocfs2_error(inode->i_sb,
> -				  "Inode %lu has bad extent record (%u, %u, 0) in btree\n",
> -				  inode->i_ino,
> -				  le32_to_cpu(rec->e_cpos),
> -				  ocfs2_rec_clusters(el, rec));
> +		if (rec) {
> +			ret = ocfs2_error(inode->i_sb,
> +					"Inode %lu has bad extent record (%u, %u, 0) in btree\n",
> +					inode->i_ino,
> +					le32_to_cpu(rec->e_cpos),
> +					ocfs2_rec_clusters(el, rec));
> +		} else {
> +			ret = ocfs2_error(inode->i_sb,
> +					"Inode %lu has no extent records in btree\n",
> +					inode->i_ino);
> +		}
>  		goto out;
>  	}
>  

'rec' is NULL can only if 'el->l_next_free_rec' is 0.
So how about check el->l_next_free_rec before. Something like:

diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
index 7799f4d16ce9..8c9c4825f984 100644
--- a/fs/ocfs2/dir.c
+++ b/fs/ocfs2/dir.c
@@ -798,6 +798,14 @@ static int ocfs2_dx_dir_lookup_rec(struct inode *inode,
		}
	}

+	if (le16_to_cpu(el->l_next_free_rec) == 0) {
+		ret = ocfs2_error(inode->i_sb,
+				  "Inode %lu has empty extent list at depth %u\n",
+				  inode->i_ino,
+				  le16_to_cpu(el->l_tree_depth));
+		goto out;
+	}
+
	found = 0;
	for (i = le16_to_cpu(el->l_next_free_rec) - 1; i >= 0; i--) {
		rec = &el->l_recs[i];

Thanks,
Joseph

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ