The i_size value of the directory "cgroup.controllers" opened by openat is 0, which causes 0 to be returned when calculating the last valid byte in nilfs_last_byte(), which ultimately causes kaddr to move forward by reclen (its value is 32 in this case), which ultimately triggers the uaf when accessing de->rec_len in nilfs_find_entry(). To avoid this issue, add a check for i_size in nilfs_lookup(). Reported-by: syzbot+96d5d14c47d97015c624@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://syzkaller.appspot.com/bug?extid=96d5d14c47d97015c624 Signed-off-by: Edward Adam Davis <eadavis@xxxxxx> --- fs/nilfs2/namei.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/nilfs2/namei.c b/fs/nilfs2/namei.c index 9b108052d9f7..0b57bcd9c2c5 100644 --- a/fs/nilfs2/namei.c +++ b/fs/nilfs2/namei.c @@ -60,6 +60,9 @@ nilfs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags) if (dentry->d_name.len > NILFS_NAME_LEN) return ERR_PTR(-ENAMETOOLONG); + if (!dir->i_size) + return ERR_PTR(-EINVAL); + res = nilfs_inode_by_name(dir, &dentry->d_name, &ino); if (res) { if (res != -ENOENT) -- 2.43.0
