The patch titled
Subject: ocfs2: add bounds checking to ocfs2_xattr_find_entry()
has been added to the -mm mm-nonmm-unstable branch. Its filename is
ocfs2-add-bounds-checking-to-ocfs2_xattr_find_entry.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/ocfs2-add-bounds-checking-to-ocfs2_xattr_find_entry.patch
This patch will later appear in the mm-nonmm-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Ferry Meng <mengferry@xxxxxxxxxxxxxxxxx>
Subject: ocfs2: add bounds checking to ocfs2_xattr_find_entry()
Date: Wed, 15 May 2024 21:29:33 +0800
Just add redundant (perhaps paranoia) checks to make sure it doesn't stray
beyond valid meory region of ocfs2 xattr entry array during a single
match.
Maybe this patch can prevent some crash caused by crafted poison images.
Link: https://lkml.kernel.org/r/20240515132934.69511-2-mengferry@xxxxxxxxxxxxxxxxx
Signed-off-by: Ferry Meng <mengferry@xxxxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
fs/ocfs2/xattr.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/fs/ocfs2/xattr.c~ocfs2-add-bounds-checking-to-ocfs2_xattr_find_entry
+++ a/fs/ocfs2/xattr.c
@@ -1062,8 +1062,8 @@ ssize_t ocfs2_listxattr(struct dentry *d
return i_ret + b_ret;
}
-static int ocfs2_xattr_find_entry(int name_index,
- const char *name,
+static int ocfs2_xattr_find_entry(struct inode *inode, void *end,
+ int name_index, const char *name,
struct ocfs2_xattr_search *xs)
{
struct ocfs2_xattr_entry *entry;
@@ -1076,6 +1076,10 @@ static int ocfs2_xattr_find_entry(int na
name_len = strlen(name);
entry = xs->here;
for (i = 0; i < le16_to_cpu(xs->header->xh_count); i++) {
+ if ((void *)entry >= end) {
+ ocfs2_error(inode->i_sb, "corrupted xattr entries");
+ return -EFSCORRUPTED;
+ }
cmp = name_index - ocfs2_xattr_get_type(entry);
if (!cmp)
cmp = name_len - entry->xe_name_len;
@@ -1171,7 +1175,7 @@ static int ocfs2_xattr_ibody_get(struct
xs->base = (void *)xs->header;
xs->here = xs->header->xh_entries;
- ret = ocfs2_xattr_find_entry(name_index, name, xs);
+ ret = ocfs2_xattr_find_entry(inode, xs->end, name_index, name, xs);
if (ret)
return ret;
size = le64_to_cpu(xs->here->xe_value_size);
@@ -2703,7 +2707,7 @@ static int ocfs2_xattr_ibody_find(struct
/* Find the named attribute. */
if (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL) {
- ret = ocfs2_xattr_find_entry(name_index, name, xs);
+ ret = ocfs2_xattr_find_entry(inode, xs->end, name_index, name, xs);
if (ret && ret != -ENODATA)
return ret;
xs->not_found = ret;
@@ -2838,7 +2842,7 @@ static int ocfs2_xattr_block_find(struct
xs->end = (void *)(blk_bh->b_data) + blk_bh->b_size;
xs->here = xs->header->xh_entries;
- ret = ocfs2_xattr_find_entry(name_index, name, xs);
+ ret = ocfs2_xattr_find_entry(inode, xs->end, name_index, name, xs);
} else
ret = ocfs2_xattr_index_block_find(inode, blk_bh,
name_index,
_
Patches currently in -mm which might be from mengferry@xxxxxxxxxxxxxxxxx are
ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch
ocfs2-add-bounds-checking-to-ocfs2_xattr_find_entry.patch
