[0/2] ocfs2: add checks in ocfs2_xattr_find_entry() to avoid potential out-of-bound access.

Message ID	20240515132934.69511-1-mengferry@linux.alibaba.com (mailing list archive)
Headers	show Received: from out30-97.freemail.mail.aliyun.com (out30-97.freemail.mail.aliyun.com [115.124.30.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B1E0127B45 for <ocfs2-devel@lists.linux.dev>; Wed, 15 May 2024 13:29:53 +0000 (UTC) From: Ferry Meng <mengferry@linux.alibaba.com> To: Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>, Joseph Qi <joseph.qi@linux.alibaba.com>, ocfs2-devel@lists.linux.dev Cc: linux-kernel@vger.kernel.org, Ferry Meng <mengferry@linux.alibaba.com> Subject: [PATCH 0/2] ocfs2: add checks in ocfs2_xattr_find_entry() to avoid potential out-of-bound access. Date: Wed, 15 May 2024 21:29:32 +0800 Message-Id: <20240515132934.69511-1-mengferry@linux.alibaba.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	ocfs2: add checks in ocfs2_xattr_find_entry() to avoid potential out-of-bound access. \| expand [0/2] ocfs2: add checks in ocfs2_xattr_find_entry() to avoid potential out-of-bound access. [1/2] ocfs2: add bounds checking to ocfs2_xattr_find_entry() [2/2] ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()

Message ID

20240515132934.69511-1-mengferry@linux.alibaba.com (mailing list archive)

Headers

From: Ferry Meng <mengferry@linux.alibaba.com>
To: Mark Fasheh <mark@fasheh.com>,
	Joel Becker <jlbec@evilplan.org>,
	Joseph Qi <joseph.qi@linux.alibaba.com>,
	ocfs2-devel@lists.linux.dev
Cc: linux-kernel@vger.kernel.org,
	Ferry Meng <mengferry@linux.alibaba.com>
Subject: [PATCH 0/2] ocfs2: add checks in ocfs2_xattr_find_entry() to avoid
 potential out-of-bound access.
Date: Wed, 15 May 2024 21:29:32 +0800
Message-Id: <20240515132934.69511-1-mengferry@linux.alibaba.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

ocfs2: add checks in ocfs2_xattr_find_entry() to avoid potential out-of-bound access. | expand

Message

Ferry Meng May 15, 2024, 1:29 p.m. UTC

Hi, all:

This patch series attempts to address a scenario where accessing user-defined 
xattrs in a carefully crafted image can lead to out-of-bound access.(To speak 
truthfully, I do not think this vehavior would occur under proper usage.) 

In my testing environment, I constructed an OCFS2 image, created a file with 
several user-defined xattrs(long name attributes, this will cause a "Non-INLINE"
xattr, which requires additional space for storage), and then forcibly modified
the xe_name_offset using a binary editing tool (e.g "hexedit"). Upon remounting 
the image and running 'getfattr -d /path/to/file', this patchset was able to 
detect "partial" malicious modification.

Comments and feedbacks are welcomed.

Ferry Meng (2):
  ocfs2: add bounds checking to ocfs2_xattr_find_entry()
  ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()

 fs/ocfs2/xattr.c | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)