On Sat, Nov 26, 2016 at 10:39:46PM -0800, Eric Biggers wrote: > It was possible for an xattr value to have a very large size, which > would then pass validation on 32-bit architectures due to a pointer > wraparound. Fix this by validating the size in a way which avoids > pointer wraparound. > > It was also possible that a value's size would fit in the available > space but its padded size would not. This would cause an out-of-bounds > memory write in ext4_xattr_set_entry when replacing the xattr value. > For example, if an xattr value of unpadded size 253 bytes went until the > very end of the inode or block, then using setxattr(2) to replace this > xattr's value with 256 bytes would cause a write to the 3 bytes past the > end of the inode or buffer, and the new xattr value would be incorrectly > truncated. Fix this by requiring that the padded size fit in the > available space rather than the unpadded size. > > This patch shouldn't have any noticeable effect on > non-corrupted/non-malicious filesystems. > > Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx> Thanks, applied. - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
