[lvc-project] [PATCH v2] ocfs2: add boundary check to ocfs2_check_dir_entry()

[Heming Zhao]

On 10/13/25 14:28, Dmitry Antipov wrote:
> In 'ocfs2_check_dir_entry()', add extra check whether at least the
> smallest possible dirent may be located at the specified offset
> within bh's data, thus preventing an out-of-bounds accesses below.
> 
> Reported-by: syzbot+b20bbf680bb0f2ecedae at syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
> Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>

Looks good to me.
Reviewed-by: Heming Zhao <heming.zhao at suse.com>> ---
> v2: adjust error message (Heming Zhao)
> ---
>   fs/ocfs2/dir.c | 17 +++++++++++++++--
>   1 file changed, 15 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
> index ece0462a5d26..b9bf1428a3d9 100644
> --- a/fs/ocfs2/dir.c
> +++ b/fs/ocfs2/dir.c
> @@ -302,8 +302,21 @@ static int ocfs2_check_dir_entry(struct inode *dir,
>   				 unsigned long offset)
>   {
>   	const char *error_msg = NULL;
> -	const int rlen = le16_to_cpu(de->rec_len);
> -	const unsigned long next_offset = ((char *) de - buf) + rlen;
> +	unsigned long next_offset;
> +	int rlen;
> +
> +	if (offset > size - OCFS2_DIR_REC_LEN(1)) {
> +		/* Dirent is (maybe partially) beyond the buffer
> +		 * boundaries so touching 'de' members is unsafe.
> +		 */
> +		mlog(ML_ERROR, "directory entry (#%llu: offset=%lu) "
> +		     "too close to end or out-of-bounds",
> +		     (unsigned long long)OCFS2_I(dir)->ip_blkno, offset);
> +		return 0;
> +	}
> +
> +	rlen = le16_to_cpu(de->rec_len);
> +	next_offset = ((char *) de - buf) + rlen;
>   
>   	if (unlikely(rlen < OCFS2_DIR_REC_LEN(1)))
>   		error_msg = "rec_len is smaller than minimal";