xfs: fix a UAF problem in xattr repair

The xchk_setup_xattr_buf function can allocate a new value buffer, which
means that any reference to ab->value before the call could become a
dangling pointer.  Fix this by moving an assignment to after the buffer
setup.

Cc: stable@vger.kernel.org # v6.10
Fixes: e47dcf113ae348 ("xfs: repair extended attributes")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>

diff --git a/fs/xfs/scrub/attr_repair.c b/fs/xfs/scrub/attr_repair.c
index c7eb94069cafcd001879ecc6533466f65388627b..09d63aa10314b0fbd8d93638dcb296f4b93f39a5 100644 (file)
--- a/fs/xfs/scrub/attr_repair.c
+++ b/fs/xfs/scrub/attr_repair.c
@@ -333,7 +333,6 @@ xrep_xattr_salvage_remote_attr(
                .attr_filter            = ent->flags & XFS_ATTR_NSP_ONDISK_MASK,
                .namelen                = rentry->namelen,
                .name                   = rentry->name,
-               .value                  = ab->value,
                .valuelen               = be32_to_cpu(rentry->valuelen),
        };
        unsigned int                    namesize;
@@ -363,6 +362,7 @@ xrep_xattr_salvage_remote_attr(
                error = -EDEADLOCK;
        if (error)
                return error;
+       args.value = ab->value;
 
        /* Look up the remote value and stash it for reconstruction. */
        error = xfs_attr3_leaf_getvalue(leaf_bp, &args);