From: Samuel Moelius <sam.moelius@trailofbits.com>
Date: Wed, 3 Jun 2026 16:11:26 +0000 (+0000)
Subject: f2fs: validate dentry name length before lookup compares it
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=90e02a8e1b6863c41876473f844c8e24b06d55f7;p=thirdparty%2Flinux.git

f2fs: validate dentry name length before lookup compares it

The f2fs dentry lookup path can use the on-disk name length before
checking that the name fits in the dentry filename area.  A corrupted
dentry can then make lookup read beyond the filename slots.

The bounds check needs to happen before any comparison that consumes
the name length from disk.

Reject dentries with invalid name lengths before comparing their names.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---

diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
index b1697194c3c4d..a9563f7fcd884 100644
--- a/fs/f2fs/dir.c
+++ b/fs/f2fs/dir.c
@@ -250,6 +250,11 @@ struct f2fs_dir_entry *f2fs_find_target_dentry(const struct f2fs_dentry_ptr *d,
 			continue;
 		}
 
+		if (unlikely(le16_to_cpu(de->name_len) > F2FS_NAME_LEN ||
+			     bit_pos + GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)) >
+			     d->max))
+			return ERR_PTR(-EFSCORRUPTED);
+
 		if (!use_hash || de->hash_code == fname->hash) {
 			res = f2fs_match_name(d->inode, fname,
 					      d->filename[bit_pos],