Commit 54dd0e0a authored by Theodore Ts'o's avatar Theodore Ts'o

ext4: add extra checks to ext4_xattr_block_get()

Add explicit checks in ext4_xattr_block_get() just in case the
e_value_offs and e_value_size fields in the the xattr block are
corrupted in memory after the buffer_verified bit is set on the xattr
block.
Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
parent 9496005d
...@@ -197,7 +197,7 @@ ext4_xattr_check_entries(struct ext4_xattr_entry *entry, void *end, ...@@ -197,7 +197,7 @@ ext4_xattr_check_entries(struct ext4_xattr_entry *entry, void *end,
while (!IS_LAST_ENTRY(entry)) { while (!IS_LAST_ENTRY(entry)) {
u32 size = le32_to_cpu(entry->e_value_size); u32 size = le32_to_cpu(entry->e_value_size);
if (size > INT_MAX) if (size > EXT4_XATTR_SIZE_MAX)
return -EFSCORRUPTED; return -EFSCORRUPTED;
if (size != 0 && entry->e_value_inum == 0) { if (size != 0 && entry->e_value_inum == 0) {
...@@ -540,8 +540,10 @@ ext4_xattr_block_get(struct inode *inode, int name_index, const char *name, ...@@ -540,8 +540,10 @@ ext4_xattr_block_get(struct inode *inode, int name_index, const char *name,
if (error) if (error)
goto cleanup; goto cleanup;
size = le32_to_cpu(entry->e_value_size); size = le32_to_cpu(entry->e_value_size);
error = -ERANGE;
if (unlikely(size > EXT4_XATTR_SIZE_MAX))
goto cleanup;
if (buffer) { if (buffer) {
error = -ERANGE;
if (size > buffer_size) if (size > buffer_size)
goto cleanup; goto cleanup;
if (entry->e_value_inum) { if (entry->e_value_inum) {
...@@ -550,8 +552,12 @@ ext4_xattr_block_get(struct inode *inode, int name_index, const char *name, ...@@ -550,8 +552,12 @@ ext4_xattr_block_get(struct inode *inode, int name_index, const char *name,
if (error) if (error)
goto cleanup; goto cleanup;
} else { } else {
memcpy(buffer, bh->b_data + u16 offset = le16_to_cpu(entry->e_value_offs);
le16_to_cpu(entry->e_value_offs), size); void *p = bh->b_data + offset;
if (unlikely(p + size > end))
goto cleanup;
memcpy(buffer, p, size);
} }
} }
error = size; error = size;
...@@ -589,8 +595,10 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name, ...@@ -589,8 +595,10 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
if (error) if (error)
goto cleanup; goto cleanup;
size = le32_to_cpu(entry->e_value_size); size = le32_to_cpu(entry->e_value_size);
error = -ERANGE;
if (unlikely(size > EXT4_XATTR_SIZE_MAX))
goto cleanup;
if (buffer) { if (buffer) {
error = -ERANGE;
if (size > buffer_size) if (size > buffer_size)
goto cleanup; goto cleanup;
if (entry->e_value_inum) { if (entry->e_value_inum) {
...@@ -599,8 +607,12 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name, ...@@ -599,8 +607,12 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
if (error) if (error)
goto cleanup; goto cleanup;
} else { } else {
memcpy(buffer, (void *)IFIRST(header) + u16 offset = le16_to_cpu(entry->e_value_offs);
le16_to_cpu(entry->e_value_offs), size); void *p = (void *)IFIRST(header) + offset;
if (unlikely(p + size > end))
goto cleanup;
memcpy(buffer, p, size);
} }
} }
error = size; error = size;
......
...@@ -70,6 +70,17 @@ struct ext4_xattr_entry { ...@@ -70,6 +70,17 @@ struct ext4_xattr_entry {
EXT4_I(inode)->i_extra_isize)) EXT4_I(inode)->i_extra_isize))
#define IFIRST(hdr) ((struct ext4_xattr_entry *)((hdr)+1)) #define IFIRST(hdr) ((struct ext4_xattr_entry *)((hdr)+1))
/*
* XATTR_SIZE_MAX is currently 64k, but for the purposes of checking
* for file system consistency errors, we use a somewhat bigger value.
* This allows XATTR_SIZE_MAX to grow in the future, but by using this
* instead of INT_MAX for certain consistency checks, we don't need to
* worry about arithmetic overflows. (Actually XATTR_SIZE_MAX is
* defined in include/uapi/linux/limits.h, so changing it is going
* not going to be trivial....)
*/
#define EXT4_XATTR_SIZE_MAX (1 << 24)
/* /*
* The minimum size of EA value when you start storing it in an external inode * The minimum size of EA value when you start storing it in an external inode
* size of block - size of header - size of 1 entry - 4 null bytes * size of block - size of header - size of 1 entry - 4 null bytes
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment