lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20251224063809.b5zs7uiiupeexzwa@inspiron>
Date: Wed, 24 Dec 2025 12:08:09 +0530
From: Prithvi <activprithvi@...il.com>
To: Heming Zhao <heming.zhao@...e.com>
Cc: mark@...heh.com, jlbec@...lplan.org, joseph.qi@...ux.alibaba.com,
	ocfs2-devel@...ts.linux.dev, linux-kernel@...r.kernel.org,
	linux-kernel-mentees@...ts.linux.dev, skhan@...uxfoundation.org,
	david.hunter.linux@...il.com, khalid@...nel.org,
	syzbot+af14efe17dfa46173239@...kaller.appspotmail.com,
	stable@...r.kernel.org
Subject: Re: [PATCH] ocfs2: Add check for total number of chains in chain list

On Mon, Dec 22, 2025 at 11:21:11PM +0800, Heming Zhao wrote:
> On Sat, Dec 20, 2025 at 03:19:28PM +0530, Prithvi Tambewagh wrote:
> > The functions ocfs2_reserve_suballoc_bits(), ocfs2_block_group_alloc(),
> > ocfs2_block_group_alloc_contig() and ocfs2_find_smallest_chain() trust
> > the on-disk values related to the allocation chain. However, KASAN bug
> > was triggered in these functions, and the kernel panicked when accessing
> > redzoned memory. This occurred due to the corrupted value of `cl_count`
> > field of `struct ocfs2_chain_list`. Upon analysis, the value of `cl_count`
> > was observed to be overwhemingly large, due to which the code accessed
> > redzoned memory.
> > 
> > The fix introduces an if statement which validates value of `cl_count`
> > (both lower and upper bounds). Lower bound check ensures the value of
> > `cl_count` is not zero and upper bound check ensures that the value of
> > `cl_count` is in the range such that it has a value less than the total
> > size of struct ocfs2_chain_list and maximum number of chains that can be
> > present, so as to fill one block.
> > 
> > Reported-by: syzbot+af14efe17dfa46173239@...kaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=af14efe17dfa46173239
> > Tested-by: syzbot+af14efe17dfa46173239@...kaller.appspotmail.com
> > Cc: stable@...r.kernel.org
> > Signed-off-by: Prithvi Tambewagh <activprithvi@...il.com>
> > ---
> >  fs/ocfs2/suballoc.c | 15 +++++++++++++++
> >  1 file changed, 15 insertions(+)
> > 
> > diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
> > index f7b483f0de2a..7ea63e9cc4f8 100644
> > --- a/fs/ocfs2/suballoc.c
> > +++ b/fs/ocfs2/suballoc.c
> > @@ -671,6 +671,21 @@ static int ocfs2_block_group_alloc(struct ocfs2_super *osb,
> >  	BUG_ON(ocfs2_is_cluster_bitmap(alloc_inode));
> >  
> >  	cl = &fe->id2.i_chain;
> > +	unsigned int block_size = osb->sb->s_blocksize;
> > +	unsigned int max_cl_count =
> > +	(block_size - offsetof(struct ocfs2_chain_list, cl_recs)) /
> > +	sizeof(struct ocfs2_chain_rec);
> > +
> > +	if (!le16_to_cpu(cl->cl_count) ||
> > +	    le16_to_cpu(cl->cl_count) > max_cl_count) {
> > +		ocfs2_error(osb->sb,
> > +			    "Invalid chain list: cl_count %u "
> > +			    "exceeds max %u",
> > +			    le16_to_cpu(cl->cl_count), max_cl_count);
> > +		status = -EIO;
> > +		goto bail;
> > +	}
> > +
> >  	status = ocfs2_reserve_clusters_with_limit(osb,
> >  						   le16_to_cpu(cl->cl_cpg),
> >  						   max_block, flags, &ac);
> > 
> > base-commit: 36c254515dc6592c44db77b84908358979dd6b50
> > -- 
> > 2.34.1
> > 
> 
> Since 'fe' is read by ocfs2_read_inode_block(), the validation function
> ocfs2_validate_inode_block() is the appropriate place to perform this sanity
> check.
> 
> Please follow the pattern in commit e1c70505ee81 ("ocfs2: add extra consistency
> checks for chain allocator dinodes") when adding your code.
> 
> btw, I am a little bit confused, it seems commit e1c70505ee81 is enough to fix
> this syzbot issue.
> 
> Thanks,
> Heming

Hello Heming,

Thanks or the clarification. I applied the commit e1c70505ee81 ("ocfs2: add 
extra consistency checks for chain allocator dinodes") above the commit on 
which syzbot reported the bug : 36c254515dc6 ("Merge tag 'powerpc-6.12-4' 
of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux") and 
verified that it fixes this KASAN bug. 

You are right that commit e1c70505ee81 is enough to fix this bug, and my 
patch is redundant in this case.

Thanks for the review and guidance!

Best Regards, 
Prithvi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ