The vfs_getxattr_alloc() interface is a special-purpose in-kernel api that does a racy query-size+allocate-buffer+retrieve-data. It is used by EVM, IMA, and fscaps to retrieve xattrs. Recently, we've seen issues where 9p returned values that amount to allocating about 8000GB worth of memory (cf. [1]). That's now fixed in 9p. But vfs_getxattr_alloc() has no reason to allow getting xattr values that are larger than XATTR_MAX_SIZE as that's the limit we use for setting and getting xattr values and nothing currently goes beyond that limit afaict. Let it check for that and reject requests that are larger than that. Link: https://lore.kernel.org/r/ZeXcQmHWcYvfCR93@do-x1extreme [1] Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx> --- fs/xattr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/xattr.c b/fs/xattr.c index 09d927603433..a53c930e3018 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -395,6 +395,9 @@ vfs_getxattr_alloc(struct mnt_idmap *idmap, struct dentry *dentry, if (error < 0) return error; + if (error > XATTR_SIZE_MAX) + return -E2BIG; + if (!value || (error > xattr_size)) { value = krealloc(*xattr_value, error + 1, flags); if (!value) -- 2.43.0
