| Message ID | 20240517094147.87133-3-mengferry@linux.alibaba.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | ocfs2: add checks in ocfs2_xattr_find_entry() to avoid potential out-of-bound access. | expand |
On 5/17/24 5:41 PM, Ferry Meng wrote: > xattr in ocfs2 maybe 'non-indexed', which saved with additional space > requested. It's better to check if the memory is out of bound before > memcmp, although this possibility mainly comes from crafted poisonous > images. > > Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com> Reported-by: lei lu <llfamsec@gmail.com> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> > --- > fs/ocfs2/xattr.c | 15 ++++++++++----- > 1 file changed, 10 insertions(+), 5 deletions(-) > > diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c > index 8aea94c90739..35c0cc2a51af 100644 > --- a/fs/ocfs2/xattr.c > +++ b/fs/ocfs2/xattr.c > @@ -1068,7 +1068,7 @@ static int ocfs2_xattr_find_entry(struct inode *inode, int name_index, > { > struct ocfs2_xattr_entry *entry; > size_t name_len; > - int i, cmp = 1; > + int i, name_offset, cmp = 1; > > if (name == NULL) > return -EINVAL; > @@ -1083,10 +1083,15 @@ static int ocfs2_xattr_find_entry(struct inode *inode, int name_index, > cmp = name_index - ocfs2_xattr_get_type(entry); > if (!cmp) > cmp = name_len - entry->xe_name_len; > - if (!cmp) > - cmp = memcmp(name, (xs->base + > - le16_to_cpu(entry->xe_name_offset)), > - name_len); > + if (!cmp) { > + name_offset = le16_to_cpu(entry->xe_name_offset); > + if ((xs->base + name_offset + name_len) > xs->end) { > + ocfs2_error(inode->i_sb, > + "corrupted xattr entries"); > + return -EFSCORRUPTED; > + } > + cmp = memcmp(name, (xs->base + name_offset), name_len); > + } > if (cmp == 0) > break; > entry += 1;
Hi, Maybe we should add the same check for ocfs2_xattr_list_entries.
diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index 8aea94c90739..35c0cc2a51af 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -1068,7 +1068,7 @@ static int ocfs2_xattr_find_entry(struct inode *inode, int name_index, { struct ocfs2_xattr_entry *entry; size_t name_len; - int i, cmp = 1; + int i, name_offset, cmp = 1; if (name == NULL) return -EINVAL; @@ -1083,10 +1083,15 @@ static int ocfs2_xattr_find_entry(struct inode *inode, int name_index, cmp = name_index - ocfs2_xattr_get_type(entry); if (!cmp) cmp = name_len - entry->xe_name_len; - if (!cmp) - cmp = memcmp(name, (xs->base + - le16_to_cpu(entry->xe_name_offset)), - name_len); + if (!cmp) { + name_offset = le16_to_cpu(entry->xe_name_offset); + if ((xs->base + name_offset + name_len) > xs->end) { + ocfs2_error(inode->i_sb, + "corrupted xattr entries"); + return -EFSCORRUPTED; + } + cmp = memcmp(name, (xs->base + name_offset), name_len); + } if (cmp == 0) break; entry += 1;
xattr in ocfs2 maybe 'non-indexed', which saved with additional space requested. It's better to check if the memory is out of bound before memcmp, although this possibility mainly comes from crafted poisonous images. Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com> --- fs/ocfs2/xattr.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-)