On Tue, Aug 25, 2020 at 03:25:29PM -0500, Eric Sandeen wrote:
> The boundary test for the fixed-offset parts of xfs_attr_sf_entry
> in xfs_attr_shortform_verify is off by one. endp is the address
> just past the end of the valid data; to check the last byte of
> a structure at offset of size "size" we must subtract one.
> (i.e. for an object at offset 10, size 4, last byte is 13 not 14).
>
> This can be shown by:
>
> # touch file
> # setfattr -n root.a file
>
> and subsequent verifications will fail when it's reread from disk.
>
> This only matters for a last attribute which has a single-byte name
> and no value, otherwise the combination of namelen & valuelen will
> push endp out and this test won't fail.
>
> Fixes: 1e1bbd8e7ee06 ("xfs: create structure verifier function for shortform xattrs")
> Signed-off-by: Eric Sandeen <sandeen@xxxxxxxxxx>
> ---
>
> diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
> index 8623c815164a..a0cf22f0c904 100644
> --- a/fs/xfs/libxfs/xfs_attr_leaf.c
> +++ b/fs/xfs/libxfs/xfs_attr_leaf.c
> @@ -1037,7 +1037,7 @@ xfs_attr_shortform_verify(
> * Check the fixed-offset parts of the structure are
> * within the data buffer.
> */
> - if (((char *)sfep + sizeof(*sfep)) >= endp)
> + if (((char *)sfep + sizeof(*sfep)-1) >= endp)
whitespace? And a comment explaining the magic "- 1" would be nice.
Did you audit the code for other occurrences of this same problem?
Cheers,
Dave.
--
Dave Chinner
david@xxxxxxxxxxxxx
