]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6dcc98f)
ext4: add bounds checking in get_max_inline_xattr_value_size()
authorTheodore Ts'o <tytso@mit.edu>
Fri, 12 May 2023 19:11:02 +0000 (15:11 -0400)
committerTheodore Ts'o <tytso@mit.edu>
Sat, 13 May 2023 22:05:05 +0000 (18:05 -0400)
Normally the extended attributes in the inode body would have been
checked when the inode is first opened, but if someone is writing to
the block device while the file system is mounted, it's possible for
the inode table to get corrupted.  Add bounds checking to avoid
reading beyond the end of allocated memory if this happens.

Reported-by: syzbot+1966db24521e5f6e23f7@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=1966db24521e5f6e23f7
Cc: stable@kernel.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
fs/ext4/inline.c patch | blob | blame | history

diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index d3dfc51a43c58be04af041e7f11353ce968a4856..f47adb284e9014bbefb6825966ef5d372ffb5c51 100644 (file)
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -34,6 +34,7 @@ static int get_max_inline_xattr_value_size(struct inode *inode,
        struct ext4_xattr_ibody_header *header;
        struct ext4_xattr_entry *entry;
        struct ext4_inode *raw_inode;
+       void *end;
        int free, min_offs;
 
        if (!EXT4_INODE_HAS_XATTR_SPACE(inode))
@@ -57,14 +58,23 @@ static int get_max_inline_xattr_value_size(struct inode *inode,
        raw_inode = ext4_raw_inode(iloc);
        header = IHDR(inode, raw_inode);
        entry = IFIRST(header);
+       end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
 
        /* Compute min_offs. */
-       for (; !IS_LAST_ENTRY(entry); entry = EXT4_XATTR_NEXT(entry)) {
+       while (!IS_LAST_ENTRY(entry)) {
+               void *next = EXT4_XATTR_NEXT(entry);
+
+               if (next >= end) {
+                       EXT4_ERROR_INODE(inode,
+                                        "corrupt xattr in inline inode");
+                       return 0;
+               }
                if (!entry->e_value_inum && entry->e_value_size) {
                        size_t offs = le16_to_cpu(entry->e_value_offs);
                        if (offs < min_offs)
                                min_offs = offs;
                }
+               entry = next;
        }
        free = min_offs -
                ((void *)entry - (void *)IFIRST(header)) - sizeof(__u32);
A mirror of Linus' kernel repository