[lvc-project] [PATCH] ocfs2: add boundary check to ocfs2_check_dir_entry()

[Heming Zhao]

On 10/10/25 17:21, Dmitry Antipov wrote:
> In 'ocfs2_check_dir_entry()', add extra check whether at least the
> smallest possible dirent may be located at the specified offset
> within bh's data, thus preventing an out-of-bounds accesses below.
> 
> Reported-by: syzbot+b20bbf680bb0f2ecedae at syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
> Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>
> ---
>   fs/ocfs2/dir.c | 16 ++++++++++++++--
>   1 file changed, 14 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
> index 8c9c4825f984..c523816a3ebb 100644
> --- a/fs/ocfs2/dir.c
> +++ b/fs/ocfs2/dir.c
> @@ -302,8 +302,20 @@ static int ocfs2_check_dir_entry(struct inode *dir,
>   				 unsigned long offset)
>   {
>   	const char *error_msg = NULL;
> -	const int rlen = le16_to_cpu(de->rec_len);
> -	const unsigned long next_offset = ((char *) de - buf) + rlen;
> +	unsigned long next_offset;
> +	int rlen;
> +
> +	if (offset > size - OCFS2_DIR_REC_LEN(1)) {
> +		/* Dirent is (maybe partially) beyond the buffer
> +		 * boundaries so touching 'de' members is unsafe.
> +		 */
> +		mlog(ML_ERROR, "out-of-bounds entry in directory #%llu: offset=%lu",
> +		     (unsigned long long)OCFS2_I(dir)->ip_blkno, offset);

The fix method looks good to me.
Only a minor issue, in my view, the following msg is better than the above:
directory entry (#%llu: offset=%lu) too close to end or out-of-bounds"

Thanks,
Heming> +		return 0;
> +	}
> +
> +	rlen = le16_to_cpu(de->rec_len);
> +	next_offset = ((char *) de - buf) + rlen;
>   
>   	if (unlikely(rlen < OCFS2_DIR_REC_LEN(1)))
>   		error_msg = "rec_len is smaller than minimal";