From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Randall Huang <huangrandall@google.com>,
Chao Yu <yuchao0@huawei.com>, Jaegeuk Kim <jaegeuk@kernel.org>,
Ben Hutchings <ben.hutchings@codethink.co.uk>
Subject: [PATCH 4.14 047/114] f2fs: fix to avoid memory leakage in f2fs_listxattr
Date: Mon, 18 May 2020 19:36:19 +0200 [thread overview]
Message-ID: <20200518173511.830041124@linuxfoundation.org> (raw)
In-Reply-To: <20200518173503.033975649@linuxfoundation.org>
From: Randall Huang <huangrandall@google.com>
commit 688078e7f36c293dae25b338ddc9e0a2790f6e06 upstream.
In f2fs_listxattr, there is no boundary check before
memcpy e_name to buffer.
If the e_name_len is corrupted,
unexpected memory contents may be returned to the buffer.
Signed-off-by: Randall Huang <huangrandall@google.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[bwh: Backported to 4.14: Use f2fs_msg() instead of f2fs_err()]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/xattr.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/fs/f2fs/xattr.c
+++ b/fs/f2fs/xattr.c
@@ -516,8 +516,9 @@ out:
ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size)
{
struct inode *inode = d_inode(dentry);
+ nid_t xnid = F2FS_I(inode)->i_xattr_nid;
struct f2fs_xattr_entry *entry;
- void *base_addr;
+ void *base_addr, *last_base_addr;
int error = 0;
size_t rest = buffer_size;
@@ -527,6 +528,8 @@ ssize_t f2fs_listxattr(struct dentry *de
if (error)
return error;
+ last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode);
+
list_for_each_xattr(entry, base_addr) {
const struct xattr_handler *handler =
f2fs_xattr_handler(entry->e_name_index);
@@ -534,6 +537,16 @@ ssize_t f2fs_listxattr(struct dentry *de
size_t prefix_len;
size_t size;
+ if ((void *)(entry) + sizeof(__u32) > last_base_addr ||
+ (void *)XATTR_NEXT_ENTRY(entry) > last_base_addr) {
+ f2fs_msg(dentry->d_sb, KERN_ERR,
+ "inode (%lu) has corrupted xattr",
+ inode->i_ino);
+ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
+ error = -EFSCORRUPTED;
+ goto cleanup;
+ }
+
if (!handler || (handler->list && !handler->list(dentry)))
continue;
next prev parent reply other threads:[~2020-05-18 17:48 UTC|newest]
Thread overview: 120+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-18 17:35 [PATCH 4.14 000/114] 4.14.181-rc1 review Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 001/114] USB: serial: qcserial: Add DW5816e support Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 002/114] dp83640: reverse arguments to list_add_tail Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 003/114] fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 004/114] net: macsec: preserve ingress frame ordering Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 005/114] net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 006/114] net: usb: qmi_wwan: add support for DW5816e Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 007/114] sch_choke: avoid potential panic in choke_reset() Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 008/114] sch_sfq: validate silly quantum values Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 009/114] bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features() Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 010/114] net/mlx5: Fix forced completion access non initialized command entry Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 011/114] net/mlx5: Fix command entry leak in Internal Error State Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 012/114] bnxt_en: Improve AER slot reset Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 013/114] bnxt_en: Fix VF anti-spoof filter setup Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 014/114] net: stricter validation of untrusted gso packets Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 015/114] ipv6: fix cleanup ordering for ip6_mr failure Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 016/114] HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 017/114] geneve: only configure or fill UDP_ZERO_CSUM6_RX/TX info when CONFIG_IPV6 Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 018/114] HID: usbhid: Fix race between usbhid_close() and usbhid_stop() Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 019/114] USB: uas: add quirk for LaCie 2Big Quadra Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 020/114] USB: serial: garmin_gps: add sanity checking for data length Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 021/114] tracing: Add a vmalloc_sync_mappings() for safe measure Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 022/114] KVM: arm: vgic: Fix limit condition when writing to GICD_I[CS]ACTIVER Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 023/114] mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 024/114] coredump: fix crash when umh is disabled Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 025/114] batman-adv: fix batadv_nc_random_weight_tq Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 026/114] batman-adv: Fix refcnt leak in batadv_show_throughput_override Greg Kroah-Hartman
2020-05-18 17:35 ` [PATCH 4.14 027/114] batman-adv: Fix refcnt leak in batadv_store_throughput_override Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 028/114] batman-adv: Fix refcnt leak in batadv_v_ogm_process Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 029/114] x86/entry/64: Fix unwind hints in kernel exit path Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 030/114] x86/entry/64: Fix unwind hints in rewind_stack_do_exit() Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 031/114] x86/unwind/orc: Dont skip the first frame for inactive tasks Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 032/114] x86/unwind/orc: Prevent unwinding before ORC initialization Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 033/114] x86/unwind/orc: Fix error path for bad ORC entry type Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 034/114] netfilter: nat: never update the UDP checksum when its 0 Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 035/114] objtool: Fix stack offset tracking for indirect CFAs Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 036/114] scripts/decodecode: fix trapping instruction formatting Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 037/114] net: ipv6: add net argument to ip6_dst_lookup_flow Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 038/114] net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 039/114] blktrace: fix unlocked access to init/start-stop/teardown Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 040/114] blktrace: fix trace mutex deadlock Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 041/114] blktrace: Protect q->blk_trace with RCU Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 042/114] blktrace: fix dereference after null check Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 043/114] f2fs: introduce read_inline_xattr Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 044/114] f2fs: introduce read_xattr_block Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 045/114] f2fs: sanity check of xattr entry size Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 046/114] f2fs: fix to avoid accessing xattr across the boundary Greg Kroah-Hartman
2020-05-18 17:36 ` Greg Kroah-Hartman [this message]
2020-05-18 17:36 ` [PATCH 4.14 048/114] net: stmmac: Use mutex instead of spinlock Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 049/114] shmem: fix possible deadlocks on shmlock_user_lock Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 050/114] net/sonic: Fix a resource leak in an error handling path in jazz_sonic_probe() Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 051/114] net: moxa: Fix a potential double free_irq() Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 052/114] drop_monitor: work around gcc-10 stringop-overflow warning Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 053/114] virtio-blk: handle block_device_operations callbacks after hot unplug Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 054/114] scsi: sg: add sg_remove_request in sg_write Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 055/114] dmaengine: pch_dma.c: Avoid data race between probe and irq handler Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 056/114] dmaengine: mmp_tdma: Reset channel error on release Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 057/114] cpufreq: intel_pstate: Only mention the BIOS disabling turbo mode once Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 058/114] ALSA: hda/hdmi: fix race in monitor detection during probe Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 059/114] drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 060/114] ipc/util.c: sysvipc_find_ipc() incorrectly updates position index Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 061/114] ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 062/114] x86/entry/64: Fix unwind hints in register clearing code Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 063/114] ipmi: Fix NULL pointer dereference in ssif_probe Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 064/114] pinctrl: baytrail: Enable pin configuration setting for GPIO chip Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 065/114] pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 066/114] i40iw: Fix error handling in i40iw_manage_arp_cache() Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 067/114] netfilter: conntrack: avoid gcc-10 zero-length-bounds warning Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 068/114] IB/mlx4: Test return value of calls to ib_get_cached_pkey Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 069/114] hwmon: (da9052) Synchronize access with mfd Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 070/114] pnp: Use list_for_each_entry() instead of open coding Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 071/114] gcc-10 warnings: fix low-hanging fruit Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 072/114] kbuild: compute false-positive -Wmaybe-uninitialized cases in Kconfig Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 073/114] Stop the ad-hoc games with -Wno-maybe-initialized Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 074/114] gcc-10: disable zero-length-bounds warning for now Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 075/114] gcc-10: disable array-bounds " Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 076/114] gcc-10: disable stringop-overflow " Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 077/114] gcc-10: disable restrict " Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 078/114] gcc-10: avoid shadowing standard library free() in crypto Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 079/114] x86/asm: Add instruction suffixes to bitops Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 080/114] net: phy: micrel: Use strlcpy() for ethtool::get_strings Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 081/114] net: fix a potential recursive NETDEV_FEAT_CHANGE Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 082/114] netlabel: cope with NULL catmap Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 083/114] net: phy: fix aneg restart in phy_ethtool_set_eee Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 084/114] Revert "ipv6: add mtu lock check in __ip6_rt_update_pmtu" Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 085/114] hinic: fix a bug of ndo_stop Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 086/114] net: dsa: loop: Add module soft dependency Greg Kroah-Hartman
2020-05-18 17:36 ` [PATCH 4.14 087/114] net: ipv4: really enforce backoff for redirects Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 088/114] netprio_cgroup: Fix unlimited memory leak of v2 cgroups Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 089/114] net: tcp: fix rx timestamp behavior for tcp_recvmsg Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 090/114] ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 091/114] ALSA: rawmidi: Initialize allocated buffers Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 092/114] ALSA: rawmidi: Fix racy buffer resize under concurrent accesses Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 093/114] ARM: dts: dra7: Fix bus_dma_limit for PCIe Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 094/114] ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 095/114] x86: Fix early boot crash on gcc-10, third try Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 096/114] ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 097/114] usb: core: hub: limit HUB_QUIRK_DISABLE_AUTOSUSPEND to USB5534B Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 098/114] usb: host: xhci-plat: keep runtime active when removing host Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 099/114] USB: gadget: fix illegal array access in binding with UDC Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 100/114] usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 101/114] x86/unwind/orc: Fix error handling in __unwind_start() Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 102/114] exec: Move would_dump into flush_old_exec Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 103/114] clk: rockchip: fix incorrect configuration of rk3228 aclk_gpu* clocks Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 104/114] usb: gadget: net2272: Fix a memory leak in an error handling path in net2272_plat_probe() Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 105/114] usb: gadget: audio: Fix a missing error return value in audio_bind() Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 106/114] usb: gadget: legacy: fix error return code in gncm_bind() Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 107/114] usb: gadget: legacy: fix error return code in cdc_bind() Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 108/114] Revert "ALSA: hda/realtek: Fix pop noise on ALC225" Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 109/114] arm64: dts: rockchip: Replace RK805 PMIC node name with "pmic" on rk3328 boards Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 110/114] arm64: dts: rockchip: Rename dwc3 device nodes on rk3399 to make dtc happy Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 111/114] ARM: dts: r8a73a4: Add missing CMT1 interrupts Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 112/114] ARM: dts: r8a7740: Add missing extal2 to CPG node Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 113/114] KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce Greg Kroah-Hartman
2020-05-18 17:37 ` [PATCH 4.14 114/114] Makefile: disallow data races on gcc-10 as well Greg Kroah-Hartman
2020-05-19 8:15 ` [PATCH 4.14 000/114] 4.14.181-rc1 review Naresh Kamboju
[not found] ` <20200518173503.033975649-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2020-05-19 8:49 ` Jon Hunter
2020-05-19 8:49 ` Jon Hunter
2020-05-19 15:05 ` shuah
2020-05-19 16:28 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200518173511.830041124@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ben.hutchings@codethink.co.uk \
--cc=huangrandall@google.com \
--cc=jaegeuk@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yuchao0@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.