Commit 6fa253b3 authored Mar 13, 2026 by Hyungjung Joo Committed by David Sterba Apr 10, 2026

affs: bound hash_pos before table lookup in affs_readdir



affs_readdir() decodes ctx->pos into hash_pos and chain_pos and then
dereferences AFFS_HEAD(dir_bh)->table[hash_pos] before validating
that hash_pos is within the runtime table bound. Treat out-of-range
positions as end-of-directory before the first table lookup.

Signed-off-by: Hyungjung Joo <jhj140711@gmail.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>

parent c3692998

fs/affs/dir.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -119,6 +119,8 @@ affs_readdir(struct file file, struct dir_context ctx)
		pr_debug("readdir() left off=%d\n", ino);
		goto inside;
		}
		if (hash_pos >= AFFS_SB(sb)->s_hashsize)
		goto done;

		ino = be32_to_cpu(AFFS_HEAD(dir_bh)->table[hash_pos]);
		for (i = 0; ino && i < chain_pos; i++) {