affs: bound hash_pos before table lookup in affs_readdir

Papya-j · kdave · commit 6fa253b38b9b · 2026-04-10T02:51:05.000+02:00
affs_readdir() decodes ctx-&gt;pos into hash_pos and chain_pos and then
dereferences AFFS_HEAD(dir_bh)-&gt;table[hash_pos] before validating
that hash_pos is within the runtime table bound. Treat out-of-range
positions as end-of-directory before the first table lookup.

Signed-off-by: Hyungjung Joo &lt;jhj140711@gmail.com&gt;
Reviewed-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
diff --git a/fs/affs/dir.c b/fs/affs/dir.c
@@ -119,6 +119,8 @@ affs_readdir(struct file *file, struct dir_context *ctx)
 		pr_debug("readdir() left off=%d\n", ino);
 		goto inside;
 	}
+	if (hash_pos >= AFFS_SB(sb)->s_hashsize)
+		goto done;
 
 	ino = be32_to_cpu(AFFS_HEAD(dir_bh)->table[hash_pos]);
 	for (i = 0; ino && i < chain_pos; i++) {

Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,8 @@ affs_readdir(struct file file, struct dir_context ctx)`
`119`	`119`	`pr_debug("readdir() left off=%d\n", ino);`
`120`	`120`	`goto inside;`
`121`	`121`	`}`
	`122`	`+ if (hash_pos >= AFFS_SB(sb)->s_hashsize)`
	`123`	`+ goto done;`
`122`	`124`
`123`	`125`	`ino = be32_to_cpu(AFFS_HEAD(dir_bh)->table[hash_pos]);`
`124`	`126`	`for (i = 0; ino && i < chain_pos; i++) {`