This is a note to let you know that I've just added the patch titled f2fs: fix to avoid memory leakage in f2fs_listxattr to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: f2fs-fix-to-avoid-memory-leakage-in-f2fs_listxattr.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Tue 12 May 2020 06:12:56 PM CEST From: Randall Huang <huangrandall@xxxxxxxxxx> Date: Fri, 18 Oct 2019 14:56:22 +0800 Subject: f2fs: fix to avoid memory leakage in f2fs_listxattr From: Randall Huang <huangrandall@xxxxxxxxxx> commit 688078e7f36c293dae25b338ddc9e0a2790f6e06 upstream. In f2fs_listxattr, there is no boundary check before memcpy e_name to buffer. If the e_name_len is corrupted, unexpected memory contents may be returned to the buffer. Signed-off-by: Randall Huang <huangrandall@xxxxxxxxxx> Reviewed-by: Chao Yu <yuchao0@xxxxxxxxxx> Signed-off-by: Jaegeuk Kim <jaegeuk@xxxxxxxxxx> [bwh: Backported to 4.14: Use f2fs_msg() instead of f2fs_err()] Signed-off-by: Ben Hutchings <ben.hutchings@xxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/f2fs/xattr.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) --- a/fs/f2fs/xattr.c +++ b/fs/f2fs/xattr.c @@ -516,8 +516,9 @@ out: ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) { struct inode *inode = d_inode(dentry); + nid_t xnid = F2FS_I(inode)->i_xattr_nid; struct f2fs_xattr_entry *entry; - void *base_addr; + void *base_addr, *last_base_addr; int error = 0; size_t rest = buffer_size; @@ -527,6 +528,8 @@ ssize_t f2fs_listxattr(struct dentry *de if (error) return error; + last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode); + list_for_each_xattr(entry, base_addr) { const struct xattr_handler *handler = f2fs_xattr_handler(entry->e_name_index); @@ -534,6 +537,16 @@ ssize_t f2fs_listxattr(struct dentry *de size_t prefix_len; size_t size; + if ((void *)(entry) + sizeof(__u32) > last_base_addr || + (void *)XATTR_NEXT_ENTRY(entry) > last_base_addr) { + f2fs_msg(dentry->d_sb, KERN_ERR, + "inode (%lu) has corrupted xattr", + inode->i_ino); + set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK); + error = -EFSCORRUPTED; + goto cleanup; + } + if (!handler || (handler->list && !handler->list(dentry))) continue; Patches currently in stable-queue which might be from huangrandall@xxxxxxxxxx are queue-4.14/f2fs-fix-to-avoid-accessing-xattr-across-the-boundary.patch queue-4.14/f2fs-fix-to-avoid-memory-leakage-in-f2fs_listxattr.patch