HIGH
ocfs2 InlineData UAF
CVE-2026-43076
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
KernelScan AI6.3MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate inline data i_size during inode read When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an inode's i_size can exceed the actual inline data capacity (id_count). This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data buffer, triggering a use-after-free when accessing directory entries from freed memory. In the syzbot report: - i_size was 1099511627576 bytes (~1TB) - Actual inline data capacity (id_count) is typically <256 bytes - A garbage rec_len (54648) caused ctx->pos to jump out of bounds - This triggered a UAF in ocfs2_check_dir_entry() Fix by adding a validation check in ocfs2_validate_inode_block() to ensure inodes with inline data have i_size <= id_count. This catches the corruption early during inode read and prevents all downstream code from operating on invalid data.
02KernelScan AI Analysis
Risk summary
Systems using the OCFS2 filesystem are vulnerable to kernel memory corruption and information disclosure when processing corrupted inline directory inodes. Exploitation requires an attacker with root-equivalent privileges (CAP_SYS_ADMIN in the initial user namespace) to mount a crafted or malicious OCFS2 image, or to otherwise introduce corrupted metadata onto an active volume. Once the corrupted inode is read, the kernel iterates far beyond the inline data buffer boundaries, causing a use-after-free read that leaks kernel heap data and can corrupt internal kernel state, ultimately leading to a kernel panic.
Vulnerability analysis
The vulnerability occurs in OCFS2's inode validation logic where inline data size (i_size) is not validated against the actual inline data capacity (id_count). When a corrupted filesystem has an inode with i_size exceeding id_count, ocfs2_dir_foreach_blk_id() iterates beyond the inline data buffer. Because the iteration length is effectively unbounded (up to the corrupted i_size of ~1TB), the read access crosses into freed heap memory, triggering a use-after-free in ocfs2_check_dir_entry(). The fix adds validation in ocfs2_validate_inode_block() to ensure i_size <= id_count for inline data inodes, catching the corruption early during inode read and preventing downstream exploitation.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | d012c782abca |
| 5.15 | 5.15.209 | bcd46bc261b2 |
| 6.1 | 6.1.175 | 131c0b573e1b |
| 6.12 | 6.12.83 | c1de19e891be |
| 6.18 | 6.18.24 | cd2d765aa715 |
| 6.19 | 6.19.14 | 77d029572510 |
| 6.6 | 6.6.136 | 37f074e65f24 |
| mainline | 7.0 | 1524af3685b3 |