lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <68ef42f5.050a0220.91a22.0232.GAE@google.com>
Date: Tue, 14 Oct 2025 23:45:09 -0700
From: syzbot <syzbot+77026564530dbc29b854@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: [PATCH] ocfs2: validate chain list count before use in ocfs2_reserve_suballoc_bits

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: [PATCH] ocfs2: validate chain list count before use in ocfs2_reserve_suballoc_bits
Author: kartikey406@...il.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master


Add validation to check if the chain list count (cl_count) is zero
before using the chain list in ocfs2_reserve_suballoc_bits(). When
cl_count is zero, the cl_recs array is empty, but the code attempts
to access cl_recs[0] in subsequent operations, leading to an
out-of-bounds array access.

The issue was discovered by syzbot using a corrupted filesystem image
where cl_count was set to 0. This triggers a UBSAN array-index-out-of-
bounds error when ocfs2_block_group_fill() attempts to access the
first chain record.

By adding this validation early in ocfs2_reserve_suballoc_bits(), we
catch the corruption before any allocation operations begin. The
filesystem will fail to mount with a clear error message directing
users to run fsck.ocfs2.

This follows the existing pattern in the function where similar
validation checks (like OCFS2_CHAIN_FL) are performed on the
allocator inode before use.

Link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
Reported-by:syzbot+77026564530dbc29b854@...kaller.appspotmail.com
Tested-by: syzbot+77026564530dbc29b854@...kaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
---
 fs/ocfs2/suballoc.c | 8 ++++++++
 1 file changed, 8 insertions(+)
---
 fs/ocfs2/suballoc.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 6ac4dcd54588..57ec07f9751a 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -778,6 +778,7 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_super *osb,
 	struct buffer_head *bh = NULL;
 	struct ocfs2_dinode *fe;
 	u32 free_bits;
+	struct ocfs2_chain_list *cl;
 
 	alloc_inode = ocfs2_get_system_file_inode(osb, type, slot);
 	if (!alloc_inode) {
@@ -800,7 +801,14 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_super *osb,
 	ac->ac_alloc_slot = slot;
 
 	fe = (struct ocfs2_dinode *) bh->b_data;
-
+	cl = &fe->id2.i_chain;
+	/* Validate chain list before use */
+	if (le16_to_cpu(cl->cl_count) == 0) {
+		status = ocfs2_error(alloc_inode->i_sb,
+			 "Chain allocator %llu has invalid chain list (cl_count=0)\n",
+			 (unsigned long long)le64_to_cpu(fe->i_blkno));
+		goto bail;
+	}
 	/* The bh was validated by the inode read inside
 	 * ocfs2_inode_lock().  Any corruption is a code bug. */
 	BUG_ON(!OCFS2_IS_VALID_DINODE(fe));
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ