orangefs: validate getxattr response length

orangefs_inode_getxattr() trusts the userspace-client-controlled
downcall.resp.getxattr.val_sz and uses it as a memcpy() length
both for the temporary user buffer and the cached xattr buffer.
Reject malformed negative or oversized lengths before copying
response bytes.

Reported-by: Hyungjung Joo <jhj140711@gmail.com>
Signed-off-by: HyungJung Joo <jhj140711@gmail.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>

diff --git a/fs/orangefs/xattr.c b/fs/orangefs/xattr.c
index 1b372189cd10b653258d147c9d2c5b6cedca49bf..b6d116302de4eefc06e1d8040f2b6171ee061dba 100644 (file)
--- a/fs/orangefs/xattr.c
+++ b/fs/orangefs/xattr.c
@@ -188,6 +188,10 @@ ssize_t orangefs_inode_getxattr(struct inode *inode, const char *name,
         * Length returned includes null terminator.
         */
        length = new_op->downcall.resp.getxattr.val_sz;
+       if (length < 0 || length > ORANGEFS_MAX_XATTR_VALUELEN) {
+               ret = -EIO;
+               goto out_release_op;
+       }
 
        /*
         * Just return the length of the queried attribute.