f2fs: validate inline dentry name lengths before conversion

Inline dentry conversion copies names out of the inline dentry area
before checking that each recorded name length fits in the available
filename slots.

A corrupted image can therefore make the conversion path read past
the inline filename storage while building the regular dentry block.

Validate each inline dentry name length against the inline filename
area before copying it.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <samuel.moelius@trailofbits.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c
index 099f7208970162e63c7613669818f3b15a29cf93..e2f7bedf155258c1e161cdea4d0b642c08393925 100644 (file)
--- a/fs/f2fs/inline.c
+++ b/fs/f2fs/inline.c
@@ -510,6 +510,12 @@ static int f2fs_add_inline_entries(struct inode *dir, void *inline_dentry)
                        bit_pos++;
                        continue;
                }
+               if (unlikely(le16_to_cpu(de->name_len) > F2FS_NAME_LEN ||
+                            bit_pos + GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)) >
+                            d.max)) {
+                       err = -EFSCORRUPTED;
+                       goto punch_dentry_pages;
+               }
 
                /*
                 * We only need the disk_name and hash to move the dentry.
@@ -530,6 +536,7 @@ static int f2fs_add_inline_entries(struct inode *dir, void *inline_dentry)
                bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
        }
        return 0;
+
 punch_dentry_pages:
        truncate_inode_pages(&dir->i_data, 0);
        f2fs_truncate_blocks(dir, 0, false);