Patch "ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Tue, 5 Nov 2024 21:04:37 -0500

This is a note to let you know that I've just added the patch titled

    ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ocfs2-pass-u64-to-ocfs2_truncate_inline-maybe-overfl.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit e385b2a0a317a67940c499f3891df7a28f222d5a
Author: Edward Adam Davis <eadavis@xxxxxx>
Date:   Wed Oct 16 19:43:47 2024 +0800

    ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow
    
    [ Upstream commit bc0a2f3a73fcdac651fca64df39306d1e5ebe3b0 ]
    
    Syzbot reported a kernel BUG in ocfs2_truncate_inline.  There are two
    reasons for this: first, the parameter value passed is greater than
    ocfs2_max_inline_data_with_xattr, second, the start and end parameters of
    ocfs2_truncate_inline are "unsigned int".
    
    So, we need to add a sanity check for byte_start and byte_len right before
    ocfs2_truncate_inline() in ocfs2_remove_inode_range(), if they are greater
    than ocfs2_max_inline_data_with_xattr return -EINVAL.
    
    Link: https://lkml.kernel.org/r/tencent_D48DB5122ADDAEDDD11918CFB68D93258C07@xxxxxx
    Fixes: 1afc32b95233 ("ocfs2: Write support for inline data")
    Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
    Reported-by: syzbot+81092778aac03460d6b7@xxxxxxxxxxxxxxxxxxxxxxxxx
    Closes: https://syzkaller.appspot.com/bug?extid=81092778aac03460d6b7
    Reviewed-by: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>
    Cc: Joel Becker <jlbec@xxxxxxxxxxxx>
    Cc: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>
    Cc: Mark Fasheh <mark@xxxxxxxxxx>
    Cc: Junxiao Bi <junxiao.bi@xxxxxxxxxx>
    Cc: Changwei Ge <gechangwei@xxxxxxx>
    Cc: Gang He <ghe@xxxxxxxx>
    Cc: Jun Piao <piaojun@xxxxxxxxxx>
    Cc: <stable@xxxxxxxxxxxxxxx>
    Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
index f502bb2ce2ea7..ea7c79e8ce429 100644
--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -1784,6 +1784,14 @@ int ocfs2_remove_inode_range(struct inode *inode,
 		return 0;
 
 	if (OCFS2_I(inode)->ip_dyn_features & OCFS2_INLINE_DATA_FL) {
+		int id_count = ocfs2_max_inline_data_with_xattr(inode->i_sb, di);
+
+		if (byte_start > id_count || byte_start + byte_len > id_count) {
+			ret = -EINVAL;
+			mlog_errno(ret);
+			goto out;
+		}
+
 		ret = ocfs2_truncate_inline(inode, di_bh, byte_start,
 					    byte_start + byte_len, 0);
 		if (ret) {







