f2fs: validate dentry name length before lookup compares it

The f2fs dentry lookup path can use the on-disk name length before
checking that the name fits in the dentry filename area.  A corrupted
dentry can then make lookup read beyond the filename slots.

The bounds check needs to happen before any comparison that consumes
the name length from disk.

Reject dentries with invalid name lengths before comparing their names.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
index b1697194c3c4d1c214d15a4567c86aaa0e7dbdd0..a9563f7fcd884225ae5e090f48638347418db892 100644 (file)
--- a/fs/f2fs/dir.c
+++ b/fs/f2fs/dir.c
@@ -250,6 +250,11 @@ struct f2fs_dir_entry *f2fs_find_target_dentry(const struct f2fs_dentry_ptr *d,
                        continue;
                }
 
+               if (unlikely(le16_to_cpu(de->name_len) > F2FS_NAME_LEN ||
+                            bit_pos + GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)) >
+                            d->max))
+                       return ERR_PTR(-EFSCORRUPTED);
+
                if (!use_hash || de->hash_code == fname->hash) {
                        res = f2fs_match_name(d->inode, fname,
                                              d->filename[bit_pos],