diff options
| author | Zhang Cen <rollkingzzc@gmail.com> | 2026-05-28 23:12:30 +0800 |
|---|---|---|
| committer | Andrew Morton <akpm@linux-foundation.org> | 2026-06-04 14:49:28 -0700 |
| commit | e234973f286ed2e8961a24561ec91594ec3e3ff8 (patch) | |
| tree | a7d54e5ff266cf0dd7997584c9d3ab878d380f61 /scripts/dummy-tools/python3 | |
| parent | a291c77c034b7a81849ce9b71cc9ecda9e587d89 (diff) | |
ocfs2: validate fast symlink target during inode read
ocfs2_validate_inode_block() already rejects several inconsistent
self-contained dinodes before they are exposed to the rest of the
filesystem. Fast symlinks need the same treatment.
A zero-cluster symlink is treated as a fast symlink and later read through
page_get_link() and ocfs2_fast_symlink_read_folio(). That path uses
strnlen() on the inline payload and then copies len + 1 bytes into the
folio. If a corrupt dinode stores an i_size that does not fit the inline
area or omits the terminating NUL at i_size, that copy reads past the end
of the inode block buffer.
Reject zero-cluster symlink dinodes whose i_size exceeds the inline
fast-symlink capacity or whose inline payload is not NUL-terminated
exactly at i_size when the inode block is validated. This keeps malformed
fast symlinks from reaching the read path.
Validation reproduced this kernel report:
KASAN use-after-free in ocfs2_fast_symlink_read_folio+0x12c/0x1f0
RIP: 0033:0x7f5c6d859aa7
Read of size 3905
Call trace:
dump_stack_lvl+0x66/0xa0 (?:?)
print_report+0xce/0x630 (?:?)
ocfs2_fast_symlink_read_folio+0x12c/0x1f0 (fs/ocfs2/inode.c:?)
srso_alias_return_thunk+0x5/0xfbef5 (?:?)
__virt_addr_valid+0x19f/0x330 (?:?)
kasan_report+0xe0/0x110 (?:?)
kasan_check_range+0x105/0x1b0 (?:?)
__asan_memcpy+0x23/0x60 (?:?)
filemap_read_folio+0x27/0xe0 (?:?)
filemap_read_folio+0x35/0xe0 (?:?)
do_read_cache_folio+0x138/0x230 (?:?)
__page_get_link+0x26/0x110 (?:?)
page_get_link+0x2e/0x70 (?:?)
vfs_readlink+0x15e/0x250 (?:?)
touch_atime+0x4d/0x370 (?:?)
do_readlinkat+0x186/0x200 (?:?)
do_user_addr_fault+0x65a/0x890 (?:?)
__x64_sys_readlink+0x46/0x60 (?:?)
do_syscall_64+0x115/0x6a0 (arch/x86/entry/syscall_64.c:87)
entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)
Link: https://lore.kernel.org/20260528151230.361127-1-rollkingzzc@gmail.com
Fixes: ea022dfb3c2a ("ocfs: simplify symlink handling")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Gui-Dong Han <2045gemini@gmail.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Diffstat (limited to 'scripts/dummy-tools/python3')
0 files changed, 0 insertions, 0 deletions