From: HyungJung Joo <jhj140711@gmail.com>
Date: Fri, 13 Mar 2026 06:34:44 +0000 (+0900)
Subject: orangefs: validate getxattr response length
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=092e0d0e964279feb9f43f81e8d1c52ef080d085;p=thirdparty%2Fkernel%2Flinux.git

orangefs: validate getxattr response length

orangefs_inode_getxattr() trusts the userspace-client-controlled
downcall.resp.getxattr.val_sz and uses it as a memcpy() length
both for the temporary user buffer and the cached xattr buffer.
Reject malformed negative or oversized lengths before copying
response bytes.

Reported-by: Hyungjung Joo <jhj140711@gmail.com>
Signed-off-by: HyungJung Joo <jhj140711@gmail.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
---

diff --git a/fs/orangefs/xattr.c b/fs/orangefs/xattr.c
index 1b372189cd10b..b6d116302de4e 100644
--- a/fs/orangefs/xattr.c
+++ b/fs/orangefs/xattr.c
@@ -188,6 +188,10 @@ ssize_t orangefs_inode_getxattr(struct inode *inode, const char *name,
 	 * Length returned includes null terminator.
 	 */
 	length = new_op->downcall.resp.getxattr.val_sz;
+	if (length < 0 || length > ORANGEFS_MAX_XATTR_VALUELEN) {
+		ret = -EIO;
+		goto out_release_op;
+	}
 
 	/*
 	 * Just return the length of the queried attribute.