| Message ID | 20240515132934.69511-3-mengferry@linux.alibaba.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ocfs2: add checks in ocfs2_xattr_find_entry() to avoid potential out-of-bound access. | expand |
On 5/15/24 9:29 PM, Ferry Meng wrote: > xattr in ocfs2 maybe not INLINE, but saved with additional space > requested. It's better to check if the memory is out of bound before > memcmp, although this possibility mainly comes from custom poisonous > images. Specifically, this only addresses the case non-indexed xattr. > > Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com> > --- > fs/ocfs2/xattr.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c > index 37be4a286faf..4ceb0cb4cb71 100644 > --- a/fs/ocfs2/xattr.c > +++ b/fs/ocfs2/xattr.c > @@ -1083,10 +1083,15 @@ static int ocfs2_xattr_find_entry(struct inode *inode, void *end, > cmp = name_index - ocfs2_xattr_get_type(entry); Or define a local variable 'offset' for le16_to_cpu(entry->xe_name_offset). Thanks, Joseph > if (!cmp) > cmp = name_len - entry->xe_name_len; > - if (!cmp) > + if (!cmp) { > + if ((xs->base + le16_to_cpu(entry->xe_name_offset) + name_len) > end) { > + ocfs2_error(inode->i_sb, "corrupted xattr entries"); > + return -EFSCORRUPTED; > + } > cmp = memcmp(name, (xs->base + > le16_to_cpu(entry->xe_name_offset)), > name_len); > + } > if (cmp == 0) > break; > entry += 1;
diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index 37be4a286faf..4ceb0cb4cb71 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -1083,10 +1083,15 @@ static int ocfs2_xattr_find_entry(struct inode *inode, void *end, cmp = name_index - ocfs2_xattr_get_type(entry); if (!cmp) cmp = name_len - entry->xe_name_len; - if (!cmp) + if (!cmp) { + if ((xs->base + le16_to_cpu(entry->xe_name_offset) + name_len) > end) { + ocfs2_error(inode->i_sb, "corrupted xattr entries"); + return -EFSCORRUPTED; + } cmp = memcmp(name, (xs->base + le16_to_cpu(entry->xe_name_offset)), name_len); + } if (cmp == 0) break; entry += 1;
xattr in ocfs2 maybe not INLINE, but saved with additional space requested. It's better to check if the memory is out of bound before memcmp, although this possibility mainly comes from custom poisonous images. Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com> --- fs/ocfs2/xattr.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)