On Tue 08-04-25 16:38:36, Artem Sadovnikov wrote: > On 07.04.2025 16:02, Jan Kara wrote: > > Thanks for debugging this! The fix looks good, but I'm still failing to see > > the use-after-free / end-of-buffer issue. If we wrongly split to two parts > > count/2 each, then dx_move_dirents() and dx_pack_dirents() seem to still > > work correctly. Just they will make too small amount of space in bh but > > still at least one dir entry gets moved? Following add_dirent_to_buf() is > > more likely to fail due to ENOSPC but still I don't see the buffer overrun > > issue? Can you please tell me what I'm missing? Thanks! > > add_dirent_to_buf() only checks for available space if its de parameter > is NULL, but make_indexed_dir() provides a non-NULL de, so that space > check is skipped entirely. add_dirent_to_buf() then calls > ext4_insert_dentry() which will write a filename that's potentially > larger than entry size and will cause an out-of-bounds write. Indeed. I didn't notice this detail. Thanks for explanation! Honza -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
