[lvc-project] [PATCH v2] ocfs2: add extra consistency check to ocfs2_dx_dir_lookup_rec()
Dmitry Antipov
dmantipov at yandex.ru
Tue Oct 7 12:46:26 MSK 2025
In 'ocfs2_dx_dir_lookup_rec()', check whether an extent list length
of the directory indexing block matches the one configured via the
superblock parameters established at mount, thus preventing an
out-of-bounds accesses while iterating over the extent records below.
Reported-by: syzbot+30b53487d00b4f7f0922 at syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=30b53487d00b4f7f0922
Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>
---
v2: move sanity check to ocfs2_dx_dir_lookup_rec() (Heming Zhao)
and rely on the convenient ocfs2_error() to handle error
---
fs/ocfs2/dir.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
index 8c9c4825f984..ece0462a5d26 100644
--- a/fs/ocfs2/dir.c
+++ b/fs/ocfs2/dir.c
@@ -778,6 +778,14 @@ static int ocfs2_dx_dir_lookup_rec(struct inode *inode,
struct ocfs2_extent_block *eb;
struct ocfs2_extent_rec *rec = NULL;
+ if (le16_to_cpu(el->l_count) !=
+ ocfs2_extent_recs_per_dx_root(inode->i_sb)) {
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %lu has invalid extent list length %u\n",
+ inode->i_ino, le16_to_cpu(el->l_count));
+ goto out;
+ }
+
if (el->l_tree_depth) {
ret = ocfs2_find_leaf(INODE_CACHE(inode), el, major_hash,
&eb_bh);
--
2.51.0
More information about the lvc-project
mailing list