| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20260208185122.1115949-1-n7l8m4@u.northwestern.edu>
Date: Sun, 8 Feb 2026 18:51:22 +0000
From: Ziyi Guo <n7l8m4@...orthwestern.edu>
To: "Tigran A . Aivazian" <aivazian.tigran@...il.com>
Cc: linux-kernel@...r.kernel.org,
Ziyi Guo <n7l8m4@...orthwestern.edu>
Subject: [PATCH] bfs: reject inodes with zero link count in bfs_iget()
bfs_iget() reads i_nlink directly from disk without validating that
it is non-zero. A corrupted BFS image with an inode that has
i_nlink == 0 but is still referenced by a directory entry allows that
inode to be loaded. While bfs_unlink() has a recovery guard for this
case, other functions like bfs_rename() calls inode_dec_link_count()
without checking, triggering WARN_ON(inode->i_nlink == 0) in drop_nlink().
Reject inodes with zero link count at load time, consistent with
the approach used by ext4, minix, nilfs2, and other filesystems.
Signed-off-by: Ziyi Guo <n7l8m4@...orthwestern.edu>
---
fs/bfs/inode.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/bfs/inode.c b/fs/bfs/inode.c
index ce6f83234b67..85d664e169f0 100644
--- a/fs/bfs/inode.c
+++ b/fs/bfs/inode.c
@@ -96,6 +96,10 @@ struct inode *bfs_iget(struct super_block *sb, unsigned long ino)
i_uid_write(inode, le32_to_cpu(di->i_uid));
i_gid_write(inode, le32_to_cpu(di->i_gid));
set_nlink(inode, le32_to_cpu(di->i_nlink));
+ if (!inode->i_nlink) {
+ brelse(bh);
+ goto error;
+ }
inode->i_size = BFS_FILESIZE(di);
inode->i_blocks = BFS_FILEBLOCKS(di);
inode_set_atime(inode, le32_to_cpu(di->i_atime), 0);
--
2.34.1
Powered by blists - more mailing lists