On Mon, Nov 28, 2016 at 12:50:02PM -0700, Andreas Dilger wrote: > On Nov 26, 2016, at 11:39 PM, Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > > > It was possible for an xattr value to have a very large size, which > > would then pass validation on 32-bit architectures due to a pointer > > wraparound. Fix this by validating the size in a way which avoids > > pointer wraparound. > > It isn't actually possible for a valid xattr value to be very large. > At most 65536 bytes even with large blocks, so it might be easier to > directly check that e_value_size is not too large rather than trying > to deal with values of 0xfffffffe bytes or similar? > I suppose we could do something like EXT4_XATTR_SIZE(size) > end - value || size > EXT4_MAX_BLOCK_SIZE instead of size > end - value || EXT4_XATTR_SIZE(size) > end - value But I don't think it's really any better. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
