The patch titled Subject: ocfs2: add bounds checking to ocfs2_xattr_find_entry() has been added to the -mm mm-nonmm-unstable branch. Its filename is ocfs2-add-bounds-checking-to-ocfs2_xattr_find_entry.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/ocfs2-add-bounds-checking-to-ocfs2_xattr_find_entry.patch This patch will later appear in the mm-nonmm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ferry Meng <mengferry@xxxxxxxxxxxxxxxxx> Subject: ocfs2: add bounds checking to ocfs2_xattr_find_entry() Date: Wed, 15 May 2024 21:29:33 +0800 Just add redundant (perhaps paranoia) checks to make sure it doesn't stray beyond valid meory region of ocfs2 xattr entry array during a single match. Maybe this patch can prevent some crash caused by crafted poison images. Link: https://lkml.kernel.org/r/20240515132934.69511-2-mengferry@xxxxxxxxxxxxxxxxx Signed-off-by: Ferry Meng <mengferry@xxxxxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- fs/ocfs2/xattr.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) --- a/fs/ocfs2/xattr.c~ocfs2-add-bounds-checking-to-ocfs2_xattr_find_entry +++ a/fs/ocfs2/xattr.c @@ -1062,8 +1062,8 @@ ssize_t ocfs2_listxattr(struct dentry *d return i_ret + b_ret; } -static int ocfs2_xattr_find_entry(int name_index, - const char *name, +static int ocfs2_xattr_find_entry(struct inode *inode, void *end, + int name_index, const char *name, struct ocfs2_xattr_search *xs) { struct ocfs2_xattr_entry *entry; @@ -1076,6 +1076,10 @@ static int ocfs2_xattr_find_entry(int na name_len = strlen(name); entry = xs->here; for (i = 0; i < le16_to_cpu(xs->header->xh_count); i++) { + if ((void *)entry >= end) { + ocfs2_error(inode->i_sb, "corrupted xattr entries"); + return -EFSCORRUPTED; + } cmp = name_index - ocfs2_xattr_get_type(entry); if (!cmp) cmp = name_len - entry->xe_name_len; @@ -1171,7 +1175,7 @@ static int ocfs2_xattr_ibody_get(struct xs->base = (void *)xs->header; xs->here = xs->header->xh_entries; - ret = ocfs2_xattr_find_entry(name_index, name, xs); + ret = ocfs2_xattr_find_entry(inode, xs->end, name_index, name, xs); if (ret) return ret; size = le64_to_cpu(xs->here->xe_value_size); @@ -2703,7 +2707,7 @@ static int ocfs2_xattr_ibody_find(struct /* Find the named attribute. */ if (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL) { - ret = ocfs2_xattr_find_entry(name_index, name, xs); + ret = ocfs2_xattr_find_entry(inode, xs->end, name_index, name, xs); if (ret && ret != -ENODATA) return ret; xs->not_found = ret; @@ -2838,7 +2842,7 @@ static int ocfs2_xattr_block_find(struct xs->end = (void *)(blk_bh->b_data) + blk_bh->b_size; xs->here = xs->header->xh_entries; - ret = ocfs2_xattr_find_entry(name_index, name, xs); + ret = ocfs2_xattr_find_entry(inode, xs->end, name_index, name, xs); } else ret = ocfs2_xattr_index_block_find(inode, blk_bh, name_index, _ Patches currently in -mm which might be from mengferry@xxxxxxxxxxxxxxxxx are ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xattr_find_entry.patch ocfs2-add-bounds-checking-to-ocfs2_xattr_find_entry.patch