mirror of
https://github.com/torvalds/linux.git
synced 2026-05-24 23:22:31 +02:00
7bc5da4842
KASAN reports a use-after-free write of 4086 bytes in
ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a
copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on
a loop device. The actual bug is an out-of-bounds write past the inode
block buffer, not a true use-after-free. The write overflows into an
adjacent freed page, which KASAN reports as UAF.
The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk
id_count field to determine whether a write fits in inline data. On a
corrupted filesystem, id_count can exceed the physical maximum inline data
capacity, causing writes to overflow the inode block buffer.
Call trace (crash path):
vfs_copy_file_range (fs/read_write.c:1634)
do_splice_direct
splice_direct_to_actor
iter_file_splice_write
ocfs2_file_write_iter
generic_perform_write
ocfs2_write_end
ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949)
ocfs2_write_end_inline (fs/ocfs2/aops.c:1915)
memcpy_from_folio <-- KASAN: write OOB
So add id_count upper bound check in ocfs2_validate_inode_block() to
alongside the existing i_size check to fix it.
Link: https://lkml.kernel.org/r/20260403063830.3662739-1-joseph.qi@linux.alibaba.com
Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reported-by: syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=62c1793956716ea8b28a
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||
|---|---|---|
| .. | ||
| cluster | ||
| dlm | ||
| dlmfs | ||
| acl.c | ||
| acl.h | ||
| alloc.c | ||
| alloc.h | ||
| aops.c | ||
| aops.h | ||
| blockcheck.c | ||
| blockcheck.h | ||
| buffer_head_io.c | ||
| buffer_head_io.h | ||
| dcache.c | ||
| dcache.h | ||
| dir.c | ||
| dir.h | ||
| dlmglue.c | ||
| dlmglue.h | ||
| export.c | ||
| export.h | ||
| extent_map.c | ||
| extent_map.h | ||
| file.c | ||
| file.h | ||
| filecheck.c | ||
| filecheck.h | ||
| heartbeat.c | ||
| heartbeat.h | ||
| inode.c | ||
| inode.h | ||
| ioctl.c | ||
| ioctl.h | ||
| journal.c | ||
| journal.h | ||
| Kconfig | ||
| localalloc.c | ||
| localalloc.h | ||
| locks.c | ||
| locks.h | ||
| Makefile | ||
| mmap.c | ||
| mmap.h | ||
| move_extents.c | ||
| move_extents.h | ||
| namei.c | ||
| namei.h | ||
| ocfs1_fs_compat.h | ||
| ocfs2_fs.h | ||
| ocfs2_ioctl.h | ||
| ocfs2_lockid.h | ||
| ocfs2_lockingver.h | ||
| ocfs2_trace.h | ||
| ocfs2.h | ||
| quota_global.c | ||
| quota_local.c | ||
| quota.h | ||
| refcounttree.c | ||
| refcounttree.h | ||
| reservations.c | ||
| reservations.h | ||
| resize.c | ||
| resize.h | ||
| slot_map.c | ||
| slot_map.h | ||
| stack_o2cb.c | ||
| stack_user.c | ||
| stackglue.c | ||
| stackglue.h | ||
| suballoc.c | ||
| suballoc.h | ||
| super.c | ||
| super.h | ||
| symlink.c | ||
| symlink.h | ||
| sysfile.c | ||
| sysfile.h | ||
| uptodate.c | ||
| uptodate.h | ||
| xattr.c | ||
| xattr.h | ||