fs: ext2: Missing structural validation of directory entries can cause out-of-bounds read and zero-progress directory traversal
Description
Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the code only checks de_name_len <= EXT2_MAX_FILE_NAME and then copies the name with memcpy without validating the structural relationship between de_rec_len, de_name_len, and the directory block boundary (for example that de_rec_len is non-zero, at least the size of the entry header, and that the record fits within the block). Callers such as find_dir_entry() and ext2_get_direntry() (subsys/fs/ext2/ext2_impl.c) then advance traversal using the unvalidated de_rec_len. A crafted ext2 image can therefore cause an out-of-bounds read from the directory block buffer when a malformed entry near the end of a block triggers an oversized name copy, or a zero-progress infinite loop when de_rec_len == 0. The issue is not reached at mount time but later through directory traversal paths such as pathname lookup, stat/open/unlink/rename, and readdir. The primary impact is denial of service and out-of-bounds reads under attacker-controlled ext2 images mounted from untrusted media.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing structural validation of on-disk directory entry fields (de_rec_len, de_name_len, and block boundary) before copying the entry name and advancing traversal state."
Attack vector
An attacker crafts a malicious ext2 filesystem image where a directory entry has a `de_rec_len` of zero (causing an infinite loop) or a `de_name_len` that exceeds the remaining space in the directory block (causing an out-of-bounds read). The bug is not triggered at mount time but later when the filesystem traverses directories during pathname lookup, stat, open, unlink, rename, or readdir [ref_id=1]. The primary impact is denial of service and out-of-bounds reads under attacker-controlled ext2 images mounted from untrusted media [ref_id=1].
Affected code
The vulnerability resides in `ext2_fetch_direntry()` in `subsys/fs/ext2/ext2_diskops.c`, which only checks `de_name_len <= EXT2_MAX_FILE_NAME` before copying the entry name with `memcpy`. Callers `find_dir_entry()` and `ext2_get_direntry()` in `subsys/fs/ext2/ext2_impl.c` then advance traversal using the unvalidated `de_rec_len` [ref_id=1].
What the fix does
The advisory states that patches have been merged in pull requests #108226 (main), #110031 (v4.4-branch), and #110033 (v4.3-branch), with a fix still open for v3.7-branch (#110030) [ref_id=1]. Although the patch diff is not included in the bundle, the advisory indicates the fix must add structural checks such as `de_rec_len >= sizeof(struct ext2_disk_direntry)`, `de_name_len <= de_rec_len - sizeof(struct ext2_disk_direntry)`, `block_off + de_rec_len <= block_size`, and `de_rec_len != 0` before copying the entry name and advancing the traversal offset [ref_id=1].
Preconditions
- configThe product must mount an ext2 filesystem image that is attacker-controlled (e.g., from untrusted removable media, user-provided images, downloaded images, or OTA-supplied filesystem images).
- inputThe attacker must be able to trigger directory traversal on the mounted filesystem (e.g., via pathname lookup, stat, open, unlink, rename, or readdir).
Generated on Jun 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.