Message ID | 20240520024024.1976129-1-joseph.qi@linux.alibaba.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | [RESEND,1/2] ocfs2: add bounds checking to ocfs2_xattr_find_entry() | expand |
On Mon, 20 May 2024 10:40:23 +0800 Joseph Qi <joseph.qi@linux.alibaba.com> wrote: > From: Ferry Meng <mengferry@linux.alibaba.com> > > From: Ferry Meng <mengferry@linux.alibaba.com> > > Add a paranoia check to make sure it doesn't stray beyond valid memory > region containing ocfs2 xattr entries when scanning for a match. > It will prevent out-of-bound access in case of crafted images. > > Reported-by: lei lu <llfamsec@gmail.com> > Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com> > Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> This should have had your signed-off-by, as you were on the patch delivery path. Documentation/process/submitting-patches.rst, "Developer's Certificate of Origin 1.1". I have made that change to the mm.git copies of these two patches.
On 5/23/24 6:15 AM, Andrew Morton wrote: > On Mon, 20 May 2024 10:40:23 +0800 Joseph Qi <joseph.qi@linux.alibaba.com> wrote: > >> From: Ferry Meng <mengferry@linux.alibaba.com> >> >> From: Ferry Meng <mengferry@linux.alibaba.com> >> >> Add a paranoia check to make sure it doesn't stray beyond valid memory >> region containing ocfs2 xattr entries when scanning for a match. >> It will prevent out-of-bound access in case of crafted images. >> >> Reported-by: lei lu <llfamsec@gmail.com> >> Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com> >> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> > > This should have had your signed-off-by, as you were on the patch > delivery path. Documentation/process/submitting-patches.rst, > "Developer's Certificate of Origin 1.1". I have made that change to > the mm.git copies of these two patches. Got it. Thanks for your time.
diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index 3b81213ed7b8..8aea94c90739 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -1062,7 +1062,7 @@ ssize_t ocfs2_listxattr(struct dentry *dentry, return i_ret + b_ret; } -static int ocfs2_xattr_find_entry(int name_index, +static int ocfs2_xattr_find_entry(struct inode *inode, int name_index, const char *name, struct ocfs2_xattr_search *xs) { @@ -1076,6 +1076,10 @@ static int ocfs2_xattr_find_entry(int name_index, name_len = strlen(name); entry = xs->here; for (i = 0; i < le16_to_cpu(xs->header->xh_count); i++) { + if ((void *)entry >= xs->end) { + ocfs2_error(inode->i_sb, "corrupted xattr entries"); + return -EFSCORRUPTED; + } cmp = name_index - ocfs2_xattr_get_type(entry); if (!cmp) cmp = name_len - entry->xe_name_len; @@ -1166,7 +1170,7 @@ static int ocfs2_xattr_ibody_get(struct inode *inode, xs->base = (void *)xs->header; xs->here = xs->header->xh_entries; - ret = ocfs2_xattr_find_entry(name_index, name, xs); + ret = ocfs2_xattr_find_entry(inode, name_index, name, xs); if (ret) return ret; size = le64_to_cpu(xs->here->xe_value_size); @@ -2698,7 +2702,7 @@ static int ocfs2_xattr_ibody_find(struct inode *inode, /* Find the named attribute. */ if (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL) { - ret = ocfs2_xattr_find_entry(name_index, name, xs); + ret = ocfs2_xattr_find_entry(inode, name_index, name, xs); if (ret && ret != -ENODATA) return ret; xs->not_found = ret; @@ -2833,7 +2837,7 @@ static int ocfs2_xattr_block_find(struct inode *inode, xs->end = (void *)(blk_bh->b_data) + blk_bh->b_size; xs->here = xs->header->xh_entries; - ret = ocfs2_xattr_find_entry(name_index, name, xs); + ret = ocfs2_xattr_find_entry(inode, name_index, name, xs); } else ret = ocfs2_xattr_index_block_find(inode, blk_bh, name_index,