Patch "ocfs2: add bounds checking to ocfs2_xattr_find_entry()" has been added to the 5.15-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    ocfs2: add bounds checking to ocfs2_xattr_find_entry()

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ocfs2-add-bounds-checking-to-ocfs2_xattr_find_entry.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit cc54cb294cbd7d62a902cb55876d5c7586a5191c
Author: Ferry Meng <mengferry@xxxxxxxxxxxxxxxxx>
Date:   Mon May 20 10:40:23 2024 +0800

    ocfs2: add bounds checking to ocfs2_xattr_find_entry()
    
    [ Upstream commit 9e3041fecdc8f78a5900c3aa51d3d756e73264d6 ]
    
    Add a paranoia check to make sure it doesn't stray beyond valid memory
    region containing ocfs2 xattr entries when scanning for a match.  It will
    prevent out-of-bound access in case of crafted images.
    
    Link: https://lkml.kernel.org/r/20240520024024.1976129-1-joseph.qi@xxxxxxxxxxxxxxxxx
    Signed-off-by: Ferry Meng <mengferry@xxxxxxxxxxxxxxxxx>
    Signed-off-by: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>
    Reported-by: lei lu <llfamsec@xxxxxxxxx>
    Reviewed-by: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>
    Cc: Mark Fasheh <mark@xxxxxxxxxx>
    Cc: Joel Becker <jlbec@xxxxxxxxxxxx>
    Cc: Junxiao Bi <junxiao.bi@xxxxxxxxxx>
    Cc: Changwei Ge <gechangwei@xxxxxxx>
    Cc: Gang He <ghe@xxxxxxxx>
    Cc: Jun Piao <piaojun@xxxxxxxxxx>
    Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
    Stable-dep-of: af77c4fc1871 ("ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()")
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index c101a71a52ae8..884e45d27564b 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -1066,7 +1066,7 @@ ssize_t ocfs2_listxattr(struct dentry *dentry,
 	return i_ret + b_ret;
 }
 
-static int ocfs2_xattr_find_entry(int name_index,
+static int ocfs2_xattr_find_entry(struct inode *inode, int name_index,
 				  const char *name,
 				  struct ocfs2_xattr_search *xs)
 {
@@ -1080,6 +1080,10 @@ static int ocfs2_xattr_find_entry(int name_index,
 	name_len = strlen(name);
 	entry = xs->here;
 	for (i = 0; i < le16_to_cpu(xs->header->xh_count); i++) {
+		if ((void *)entry >= xs->end) {
+			ocfs2_error(inode->i_sb, "corrupted xattr entries");
+			return -EFSCORRUPTED;
+		}
 		cmp = name_index - ocfs2_xattr_get_type(entry);
 		if (!cmp)
 			cmp = name_len - entry->xe_name_len;
@@ -1170,7 +1174,7 @@ static int ocfs2_xattr_ibody_get(struct inode *inode,
 	xs->base = (void *)xs->header;
 	xs->here = xs->header->xh_entries;
 
-	ret = ocfs2_xattr_find_entry(name_index, name, xs);
+	ret = ocfs2_xattr_find_entry(inode, name_index, name, xs);
 	if (ret)
 		return ret;
 	size = le64_to_cpu(xs->here->xe_value_size);
@@ -2702,7 +2706,7 @@ static int ocfs2_xattr_ibody_find(struct inode *inode,
 
 	/* Find the named attribute. */
 	if (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL) {
-		ret = ocfs2_xattr_find_entry(name_index, name, xs);
+		ret = ocfs2_xattr_find_entry(inode, name_index, name, xs);
 		if (ret && ret != -ENODATA)
 			return ret;
 		xs->not_found = ret;
@@ -2837,7 +2841,7 @@ static int ocfs2_xattr_block_find(struct inode *inode,
 		xs->end = (void *)(blk_bh->b_data) + blk_bh->b_size;
 		xs->here = xs->header->xh_entries;
 
-		ret = ocfs2_xattr_find_entry(name_index, name, xs);
+		ret = ocfs2_xattr_find_entry(inode, name_index, name, xs);
 	} else
 		ret = ocfs2_xattr_index_block_find(inode, blk_bh,
 						   name_index,




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux