lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20251005151403.9012-1-ssranevjti@gmail.com>
Date: Sun,  5 Oct 2025 20:44:03 +0530
From: ssrane_b23@...vjti.ac.in
To: Mark Fasheh <mark@...heh.com>
Cc: Joel Becker <jlbec@...lplan.org>,
	Joseph Qi <joseph.qi@...ux.alibaba.com>,
	ocfs2-devel@...ts.linux.dev,
	linux-kernel@...r.kernel.org,
	syzbot+30b53487d00b4f7f0922@...kaller.appspotmail.com,
	Shaurya Rane <ssrane_b23@...vjti.ac.in>
Subject: [PATCH] ocfs2: Fix use-after-free in ocfs2_dx_dir_lookup_rec

From: Shaurya Rane <ssrane_b23@...vjti.ac.in>

A syzbot report triggered a KASAN use-after-free read when creating a
file on a corrupted OCFS2 filesystem image.

The crash occurs in an error-handling path within the
ocfs2_dx_dir_lookup_rec function. When the function fails to find a
matching extent record (`found` is false), it attempts to log details
about the corruption by reading from the `rec` variable.

According to the KASAN report, the memory pointed to by `rec` can be
invalid at this point, leading to a kernel crash.

Fix this by modifying the error message to use only variables that are
known to be safe, such as the inode number and the extent block's
buffer head block number. This preserves the valuable error log for
debugging corrupted filesystems while preventing the memory safety
violation.

Reported-by: syzbot+30b53487d00b4f7f0922@...kaller.appspotmail.com
Tested-by: syzbot+30b53487d00b4f7f0922@...kaller.appspotmail.com
Signed-off-by: Shaurya Rane <ssrane_b23@...vjti.ac.in>
---
 fs/ocfs2/dir.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
index 8c9c4825f984..8c4dd61efa8d 100644
--- a/fs/ocfs2/dir.c
+++ b/fs/ocfs2/dir.c
@@ -820,8 +820,7 @@ static int ocfs2_dx_dir_lookup_rec(struct inode *inode,
 		ret = ocfs2_error(inode->i_sb,
 				  "Inode %lu has bad extent record (%u, %u, 0) in btree\n",
 				  inode->i_ino,
-				  le32_to_cpu(rec->e_cpos),
-				  ocfs2_rec_clusters(el, rec));
+				  eb_bh ? (unsigned long long)eb_bh->b_blocknr : 0);
 		goto out;
 	}
 
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ