[PATCH v2 1/2] ext2: introduce helper for xattr header validation

[PATCH v2 1/2] ext2: introduce helper for xattr header validation

[Chengguang Xu]

Introduce helper function ext2_xattr_header_valid()
for xattr header validation and clean up the header
check ralated code.

Signed-off-by: Chengguang Xu <cgxu519@zoho.com.cn>
---
v1->v2:
- Pass xattr header to ext2_xattr_header_valid().
- Change signed-off mail address.

 fs/ext2/xattr.c | 31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c
index 1e33e0ac8cf1..db27260d6a5b 100644
--- a/fs/ext2/xattr.c
+++ b/fs/ext2/xattr.c
@@ -134,6 +134,16 @@ ext2_xattr_handler(int name_index)
 	return handler;
 }
 
+static bool
+ext2_xattr_header_valid(struct ext2_xattr_header *header)
+{
+	if (header->h_magic != cpu_to_le32(EXT2_XATTR_MAGIC) ||
+	    header->h_blocks != cpu_to_le32(1))
+		return false;
+
+	return true;
+}
+
 /*
  * ext2_xattr_get()
  *
@@ -176,9 +186,9 @@ ext2_xattr_get(struct inode *inode, int name_index, const char *name,
 	ea_bdebug(bh, "b_count=%d, refcount=%d",
 		atomic_read(&(bh->b_count)), le32_to_cpu(HDR(bh)->h_refcount));
 	end = bh->b_data + bh->b_size;
-	if (HDR(bh)->h_magic != cpu_to_le32(EXT2_XATTR_MAGIC) ||
-	    HDR(bh)->h_blocks != cpu_to_le32(1)) {
-bad_block:	ext2_error(inode->i_sb, "ext2_xattr_get",
+	if (!ext2_xattr_header_valid(HDR(bh))) {
+bad_block:
+		ext2_error(inode->i_sb, "ext2_xattr_get",
 			"inode %ld: bad block %d", inode->i_ino,
 			EXT2_I(inode)->i_file_acl);
 		error = -EIO;
@@ -266,9 +276,9 @@ ext2_xattr_list(struct dentry *dentry, char *buffer, size_t buffer_size)
 	ea_bdebug(bh, "b_count=%d, refcount=%d",
 		atomic_read(&(bh->b_count)), le32_to_cpu(HDR(bh)->h_refcount));
 	end = bh->b_data + bh->b_size;
-	if (HDR(bh)->h_magic != cpu_to_le32(EXT2_XATTR_MAGIC) ||
-	    HDR(bh)->h_blocks != cpu_to_le32(1)) {
-bad_block:	ext2_error(inode->i_sb, "ext2_xattr_list",
+	if (!ext2_xattr_header_valid(HDR(bh))) {
+bad_block:
+		ext2_error(inode->i_sb, "ext2_xattr_list",
 			"inode %ld: bad block %d", inode->i_ino,
 			EXT2_I(inode)->i_file_acl);
 		error = -EIO;
@@ -406,9 +416,9 @@ ext2_xattr_set(struct inode *inode, int name_index, const char *name,
 			le32_to_cpu(HDR(bh)->h_refcount));
 		header = HDR(bh);
 		end = bh->b_data + bh->b_size;
-		if (header->h_magic != cpu_to_le32(EXT2_XATTR_MAGIC) ||
-		    header->h_blocks != cpu_to_le32(1)) {
-bad_block:		ext2_error(sb, "ext2_xattr_set",
+		if (!ext2_xattr_header_valid(header)) {
+bad_block:
+			ext2_error(sb, "ext2_xattr_set",
 				"inode %ld: bad block %d", inode->i_ino, 
 				   EXT2_I(inode)->i_file_acl);
 			error = -EIO;
@@ -784,8 +794,7 @@ ext2_xattr_delete_inode(struct inode *inode)
 		goto cleanup;
 	}
 	ea_bdebug(bh, "b_count=%d", atomic_read(&(bh->b_count)));
-	if (HDR(bh)->h_magic != cpu_to_le32(EXT2_XATTR_MAGIC) ||
-	    HDR(bh)->h_blocks != cpu_to_le32(1)) {
+	if (!ext2_xattr_header_valid(HDR(bh))) {
 		ext2_error(inode->i_sb, "ext2_xattr_delete_inode",
 			"inode %ld: bad block %d", inode->i_ino,
 			EXT2_I(inode)->i_file_acl);
-- 
2.17.2

[PATCH v2 2/2] ext2: introduce helper for xattr entry validation

[Chengguang Xu]

Introduce helper function ext2_xattr_entry_valid()
for xattr entry validation and clean up the entry
check ralated code.

Signed-off-by: Chengguang Xu <cgxu519@zoho.com.cn>
---
v1->v2:
- Pass end offset instead of inode to ext2_xattr_entry_valid()
- Change signed-off mail address.

 fs/ext2/xattr.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c
index db27260d6a5b..d11c83529514 100644
--- a/fs/ext2/xattr.c
+++ b/fs/ext2/xattr.c
@@ -144,6 +144,20 @@ ext2_xattr_header_valid(struct ext2_xattr_header *header)
 	return true;
 }
 
+static bool
+ext2_xattr_entry_valid(struct ext2_xattr_entry *entry, size_t size,
+		       size_t end_offs)
+{
+	if (entry->e_value_block != 0)
+		return false;
+
+	if (size > end_offs ||
+	    le16_to_cpu(entry->e_value_offs) + size > end_offs)
+		return false;
+
+	return true;
+}
+
 /*
  * ext2_xattr_get()
  *
@@ -217,8 +231,7 @@ ext2_xattr_get(struct inode *inode, int name_index, const char *name,
 	if (entry->e_value_block != 0)
 		goto bad_block;
 	size = le32_to_cpu(entry->e_value_size);
-	if (size > inode->i_sb->s_blocksize ||
-	    le16_to_cpu(entry->e_value_offs) + size > inode->i_sb->s_blocksize)
+	if (!ext2_xattr_entry_valid(entry, size, inode->i_sb->s_blocksize))
 		goto bad_block;
 
 	if (ext2_xattr_cache_insert(ea_block_cache, bh))
@@ -483,8 +496,8 @@ ext2_xattr_set(struct inode *inode, int name_index, const char *name,
 		if (!here->e_value_block && here->e_value_size) {
 			size_t size = le32_to_cpu(here->e_value_size);
 
-			if (le16_to_cpu(here->e_value_offs) + size > 
-			    sb->s_blocksize || size > sb->s_blocksize)
+			if (!ext2_xattr_entry_valid(here, size,
+			    inode->i_sb->s_blocksize))
 				goto bad_block;
 			free += EXT2_XATTR_SIZE(size);
 		}
-- 
2.17.2

Re: [PATCH v2 1/2] ext2: introduce helper for xattr header validation

[Andreas Dilger]

[-- Attachment #1: Type: text/plain, Size: 3359 bytes --]

On May 13, 2019, at 4:40 PM, Chengguang Xu <cgxu519@zoho.com.cn> wrote:
> 
> Introduce helper function ext2_xattr_header_valid()
> for xattr header validation and clean up the header
> check ralated code.
> 
> Signed-off-by: Chengguang Xu <cgxu519@zoho.com.cn>

Reviewed-by: Andreas Dilger <adilger@dilger.ca>

> ---
> v1->v2:
> - Pass xattr header to ext2_xattr_header_valid().
> - Change signed-off mail address.
> 
> fs/ext2/xattr.c | 31 ++++++++++++++++++++-----------
> 1 file changed, 20 insertions(+), 11 deletions(-)
> 
> diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c
> index 1e33e0ac8cf1..db27260d6a5b 100644
> --- a/fs/ext2/xattr.c
> +++ b/fs/ext2/xattr.c
> @@ -134,6 +134,16 @@ ext2_xattr_handler(int name_index)
> 	return handler;
> }
> 
> +static bool
> +ext2_xattr_header_valid(struct ext2_xattr_header *header)
> +{
> +	if (header->h_magic != cpu_to_le32(EXT2_XATTR_MAGIC) ||
> +	    header->h_blocks != cpu_to_le32(1))
> +		return false;
> +
> +	return true;
> +}
> +
> /*
>  * ext2_xattr_get()
>  *
> @@ -176,9 +186,9 @@ ext2_xattr_get(struct inode *inode, int name_index, const char *name,
> 	ea_bdebug(bh, "b_count=%d, refcount=%d",
> 		atomic_read(&(bh->b_count)), le32_to_cpu(HDR(bh)->h_refcount));
> 	end = bh->b_data + bh->b_size;
> -	if (HDR(bh)->h_magic != cpu_to_le32(EXT2_XATTR_MAGIC) ||
> -	    HDR(bh)->h_blocks != cpu_to_le32(1)) {
> -bad_block:	ext2_error(inode->i_sb, "ext2_xattr_get",
> +	if (!ext2_xattr_header_valid(HDR(bh))) {
> +bad_block:
> +		ext2_error(inode->i_sb, "ext2_xattr_get",
> 			"inode %ld: bad block %d", inode->i_ino,
> 			EXT2_I(inode)->i_file_acl);
> 		error = -EIO;
> @@ -266,9 +276,9 @@ ext2_xattr_list(struct dentry *dentry, char *buffer, size_t buffer_size)
> 	ea_bdebug(bh, "b_count=%d, refcount=%d",
> 		atomic_read(&(bh->b_count)), le32_to_cpu(HDR(bh)->h_refcount));
> 	end = bh->b_data + bh->b_size;
> -	if (HDR(bh)->h_magic != cpu_to_le32(EXT2_XATTR_MAGIC) ||
> -	    HDR(bh)->h_blocks != cpu_to_le32(1)) {
> -bad_block:	ext2_error(inode->i_sb, "ext2_xattr_list",
> +	if (!ext2_xattr_header_valid(HDR(bh))) {
> +bad_block:
> +		ext2_error(inode->i_sb, "ext2_xattr_list",
> 			"inode %ld: bad block %d", inode->i_ino,
> 			EXT2_I(inode)->i_file_acl);
> 		error = -EIO;
> @@ -406,9 +416,9 @@ ext2_xattr_set(struct inode *inode, int name_index, const char *name,
> 			le32_to_cpu(HDR(bh)->h_refcount));
> 		header = HDR(bh);
> 		end = bh->b_data + bh->b_size;
> -		if (header->h_magic != cpu_to_le32(EXT2_XATTR_MAGIC) ||
> -		    header->h_blocks != cpu_to_le32(1)) {
> -bad_block:		ext2_error(sb, "ext2_xattr_set",
> +		if (!ext2_xattr_header_valid(header)) {
> +bad_block:
> +			ext2_error(sb, "ext2_xattr_set",
> 				"inode %ld: bad block %d", inode->i_ino,
> 				   EXT2_I(inode)->i_file_acl);
> 			error = -EIO;
> @@ -784,8 +794,7 @@ ext2_xattr_delete_inode(struct inode *inode)
> 		goto cleanup;
> 	}
> 	ea_bdebug(bh, "b_count=%d", atomic_read(&(bh->b_count)));
> -	if (HDR(bh)->h_magic != cpu_to_le32(EXT2_XATTR_MAGIC) ||
> -	    HDR(bh)->h_blocks != cpu_to_le32(1)) {
> +	if (!ext2_xattr_header_valid(HDR(bh))) {
> 		ext2_error(inode->i_sb, "ext2_xattr_delete_inode",
> 			"inode %ld: bad block %d", inode->i_ino,
> 			EXT2_I(inode)->i_file_acl);
> --
> 2.17.2
> 
> 


Cheers, Andreas






[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 873 bytes --]

Re: [PATCH v2 2/2] ext2: introduce helper for xattr entry validation

[Andreas Dilger]

[-- Attachment #1: Type: text/plain, Size: 2143 bytes --]

On May 13, 2019, at 4:40 PM, Chengguang Xu <cgxu519@zoho.com.cn> wrote:
> 
> Introduce helper function ext2_xattr_entry_valid()
> for xattr entry validation and clean up the entry
> check ralated code.
> 
> Signed-off-by: Chengguang Xu <cgxu519@zoho.com.cn>

Reviewed-by: Andreas Dilger <adilger@dilger.ca>

> ---
> v1->v2:
> - Pass end offset instead of inode to ext2_xattr_entry_valid()
> - Change signed-off mail address.
> 
> fs/ext2/xattr.c | 21 +++++++++++++++++----
> 1 file changed, 17 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c
> index db27260d6a5b..d11c83529514 100644
> --- a/fs/ext2/xattr.c
> +++ b/fs/ext2/xattr.c
> @@ -144,6 +144,20 @@ ext2_xattr_header_valid(struct ext2_xattr_header *header)
> 	return true;
> }
> 
> +static bool
> +ext2_xattr_entry_valid(struct ext2_xattr_entry *entry, size_t size,
> +		       size_t end_offs)
> +{
> +	if (entry->e_value_block != 0)
> +		return false;
> +
> +	if (size > end_offs ||
> +	    le16_to_cpu(entry->e_value_offs) + size > end_offs)
> +		return false;
> +
> +	return true;
> +}
> +
> /*
>  * ext2_xattr_get()
>  *
> @@ -217,8 +231,7 @@ ext2_xattr_get(struct inode *inode, int name_index, const char *name,
> 	if (entry->e_value_block != 0)
> 		goto bad_block;
> 	size = le32_to_cpu(entry->e_value_size);
> -	if (size > inode->i_sb->s_blocksize ||
> -	    le16_to_cpu(entry->e_value_offs) + size > inode->i_sb->s_blocksize)
> +	if (!ext2_xattr_entry_valid(entry, size, inode->i_sb->s_blocksize))
> 		goto bad_block;
> 
> 	if (ext2_xattr_cache_insert(ea_block_cache, bh))
> @@ -483,8 +496,8 @@ ext2_xattr_set(struct inode *inode, int name_index, const char *name,
> 		if (!here->e_value_block && here->e_value_size) {
> 			size_t size = le32_to_cpu(here->e_value_size);
> 
> -			if (le16_to_cpu(here->e_value_offs) + size >
> -			    sb->s_blocksize || size > sb->s_blocksize)
> +			if (!ext2_xattr_entry_valid(here, size,
> +			    inode->i_sb->s_blocksize))
> 				goto bad_block;
> 			free += EXT2_XATTR_SIZE(size);
> 		}
> --
> 2.17.2
> 
> 


Cheers, Andreas






[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 873 bytes --]

Re: [PATCH v2 2/2] ext2: introduce helper for xattr entry validation

[Alexey Lyashkov]

I think this patch need to be refined.

>> if (entry->e_value_block != 0
duplicated with check bellow ext2_xattr_entry_valid checks.




> 14 мая 2019 г., в 18:32, Andreas Dilger <adilger@dilger.ca> написал(а):
> 
> On May 13, 2019, at 4:40 PM, Chengguang Xu <cgxu519@zoho.com.cn> wrote:
>> 
>> Introduce helper function ext2_xattr_entry_valid()
>> for xattr entry validation and clean up the entry
>> check ralated code.
>> 
>> Signed-off-by: Chengguang Xu <cgxu519@zoho.com.cn>
> 
> Reviewed-by: Andreas Dilger <adilger@dilger.ca>
> 
>> ---
>> v1->v2:
>> - Pass end offset instead of inode to ext2_xattr_entry_valid()
>> - Change signed-off mail address.
>> 
>> fs/ext2/xattr.c | 21 +++++++++++++++++----
>> 1 file changed, 17 insertions(+), 4 deletions(-)
>> 
>> diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c
>> index db27260d6a5b..d11c83529514 100644
>> --- a/fs/ext2/xattr.c
>> +++ b/fs/ext2/xattr.c
>> @@ -144,6 +144,20 @@ ext2_xattr_header_valid(struct ext2_xattr_header *header)
>> 	return true;
>> }
>> 
>> +static bool
>> +ext2_xattr_entry_valid(struct ext2_xattr_entry *entry, size_t size,
>> +		       size_t end_offs)
>> +{
>> +	if (entry->e_value_block != 0)
>> +		return false;
>> +
>> +	if (size > end_offs ||
>> +	    le16_to_cpu(entry->e_value_offs) + size > end_offs)
>> +		return false;
>> +
>> +	return true;
>> +}
>> +
>> /*
>> * ext2_xattr_get()
>> *
>> @@ -217,8 +231,7 @@ ext2_xattr_get(struct inode *inode, int name_index, const char *name,
>> 	if (entry->e_value_block != 0)
>> 		goto bad_block;
>> 	size = le32_to_cpu(entry->e_value_size);
>> -	if (size > inode->i_sb->s_blocksize ||
>> -	    le16_to_cpu(entry->e_value_offs) + size > inode->i_sb->s_blocksize)
>> +	if (!ext2_xattr_entry_valid(entry, size, inode->i_sb->s_blocksize))
>> 		goto bad_block;
>> 
>> 	if (ext2_xattr_cache_insert(ea_block_cache, bh))
>> @@ -483,8 +496,8 @@ ext2_xattr_set(struct inode *inode, int name_index, const char *name,
>> 		if (!here->e_value_block && here->e_value_size) {
>> 			size_t size = le32_to_cpu(here->e_value_size);
>> 
>> -			if (le16_to_cpu(here->e_value_offs) + size >
>> -			    sb->s_blocksize || size > sb->s_blocksize)
>> +			if (!ext2_xattr_entry_valid(here, size,
>> +			    inode->i_sb->s_blocksize))
>> 				goto bad_block;
>> 			free += EXT2_XATTR_SIZE(size);
>> 		}
>> --
>> 2.17.2
>> 
>> 
> 
> 
> Cheers, Andreas
> 
> 
> 
> 
> 

Re: [PATCH v2 1/2] ext2: introduce helper for xattr header validation

[Jan Kara]

On Tue 14-05-19 09:32:10, Andreas Dilger wrote:
> On May 13, 2019, at 4:40 PM, Chengguang Xu <cgxu519@zoho.com.cn> wrote:
> > 
> > Introduce helper function ext2_xattr_header_valid()
> > for xattr header validation and clean up the header
> > check ralated code.
> > 
> > Signed-off-by: Chengguang Xu <cgxu519@zoho.com.cn>
> 
> Reviewed-by: Andreas Dilger <adilger@dilger.ca>

Thanks. Applied.

								Honza
> 
> > ---
> > v1->v2:
> > - Pass xattr header to ext2_xattr_header_valid().
> > - Change signed-off mail address.
> > 
> > fs/ext2/xattr.c | 31 ++++++++++++++++++++-----------
> > 1 file changed, 20 insertions(+), 11 deletions(-)
> > 
> > diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c
> > index 1e33e0ac8cf1..db27260d6a5b 100644
> > --- a/fs/ext2/xattr.c
> > +++ b/fs/ext2/xattr.c
> > @@ -134,6 +134,16 @@ ext2_xattr_handler(int name_index)
> > 	return handler;
> > }
> > 
> > +static bool
> > +ext2_xattr_header_valid(struct ext2_xattr_header *header)
> > +{
> > +	if (header->h_magic != cpu_to_le32(EXT2_XATTR_MAGIC) ||
> > +	    header->h_blocks != cpu_to_le32(1))
> > +		return false;
> > +
> > +	return true;
> > +}
> > +
> > /*
> >  * ext2_xattr_get()
> >  *
> > @@ -176,9 +186,9 @@ ext2_xattr_get(struct inode *inode, int name_index, const char *name,
> > 	ea_bdebug(bh, "b_count=%d, refcount=%d",
> > 		atomic_read(&(bh->b_count)), le32_to_cpu(HDR(bh)->h_refcount));
> > 	end = bh->b_data + bh->b_size;
> > -	if (HDR(bh)->h_magic != cpu_to_le32(EXT2_XATTR_MAGIC) ||
> > -	    HDR(bh)->h_blocks != cpu_to_le32(1)) {
> > -bad_block:	ext2_error(inode->i_sb, "ext2_xattr_get",
> > +	if (!ext2_xattr_header_valid(HDR(bh))) {
> > +bad_block:
> > +		ext2_error(inode->i_sb, "ext2_xattr_get",
> > 			"inode %ld: bad block %d", inode->i_ino,
> > 			EXT2_I(inode)->i_file_acl);
> > 		error = -EIO;
> > @@ -266,9 +276,9 @@ ext2_xattr_list(struct dentry *dentry, char *buffer, size_t buffer_size)
> > 	ea_bdebug(bh, "b_count=%d, refcount=%d",
> > 		atomic_read(&(bh->b_count)), le32_to_cpu(HDR(bh)->h_refcount));
> > 	end = bh->b_data + bh->b_size;
> > -	if (HDR(bh)->h_magic != cpu_to_le32(EXT2_XATTR_MAGIC) ||
> > -	    HDR(bh)->h_blocks != cpu_to_le32(1)) {
> > -bad_block:	ext2_error(inode->i_sb, "ext2_xattr_list",
> > +	if (!ext2_xattr_header_valid(HDR(bh))) {
> > +bad_block:
> > +		ext2_error(inode->i_sb, "ext2_xattr_list",
> > 			"inode %ld: bad block %d", inode->i_ino,
> > 			EXT2_I(inode)->i_file_acl);
> > 		error = -EIO;
> > @@ -406,9 +416,9 @@ ext2_xattr_set(struct inode *inode, int name_index, const char *name,
> > 			le32_to_cpu(HDR(bh)->h_refcount));
> > 		header = HDR(bh);
> > 		end = bh->b_data + bh->b_size;
> > -		if (header->h_magic != cpu_to_le32(EXT2_XATTR_MAGIC) ||
> > -		    header->h_blocks != cpu_to_le32(1)) {
> > -bad_block:		ext2_error(sb, "ext2_xattr_set",
> > +		if (!ext2_xattr_header_valid(header)) {
> > +bad_block:
> > +			ext2_error(sb, "ext2_xattr_set",
> > 				"inode %ld: bad block %d", inode->i_ino,
> > 				   EXT2_I(inode)->i_file_acl);
> > 			error = -EIO;
> > @@ -784,8 +794,7 @@ ext2_xattr_delete_inode(struct inode *inode)
> > 		goto cleanup;
> > 	}
> > 	ea_bdebug(bh, "b_count=%d", atomic_read(&(bh->b_count)));
> > -	if (HDR(bh)->h_magic != cpu_to_le32(EXT2_XATTR_MAGIC) ||
> > -	    HDR(bh)->h_blocks != cpu_to_le32(1)) {
> > +	if (!ext2_xattr_header_valid(HDR(bh))) {
> > 		ext2_error(inode->i_sb, "ext2_xattr_delete_inode",
> > 			"inode %ld: bad block %d", inode->i_ino,
> > 			EXT2_I(inode)->i_file_acl);
> > --
> > 2.17.2
> > 
> > 
> 
> 
> Cheers, Andreas
> 
> 
> 
> 
> 


-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

Re: [PATCH v2 2/2] ext2: introduce helper for xattr entry validation

[Jan Kara]

On Tue 14-05-19 06:40:42, Chengguang Xu wrote:
> Introduce helper function ext2_xattr_entry_valid()
> for xattr entry validation and clean up the entry
> check ralated code.
> 
> Signed-off-by: Chengguang Xu <cgxu519@zoho.com.cn>

So I like the direction where this is going but I don't think the end
result after this particular patch is significantly better. So I've ended
up modifying this patch slightly and adding two more cleanups to make things
more obvious. I'll send the result separately.

								Honza

> ---
> v1->v2:
> - Pass end offset instead of inode to ext2_xattr_entry_valid()
> - Change signed-off mail address.
> 
>  fs/ext2/xattr.c | 21 +++++++++++++++++----
>  1 file changed, 17 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c
> index db27260d6a5b..d11c83529514 100644
> --- a/fs/ext2/xattr.c
> +++ b/fs/ext2/xattr.c
> @@ -144,6 +144,20 @@ ext2_xattr_header_valid(struct ext2_xattr_header *header)
>  	return true;
>  }
>  
> +static bool
> +ext2_xattr_entry_valid(struct ext2_xattr_entry *entry, size_t size,
> +		       size_t end_offs)
> +{
> +	if (entry->e_value_block != 0)
> +		return false;
> +
> +	if (size > end_offs ||
> +	    le16_to_cpu(entry->e_value_offs) + size > end_offs)
> +		return false;
> +
> +	return true;
> +}
> +
>  /*
>   * ext2_xattr_get()
>   *
> @@ -217,8 +231,7 @@ ext2_xattr_get(struct inode *inode, int name_index, const char *name,
>  	if (entry->e_value_block != 0)
>  		goto bad_block;
>  	size = le32_to_cpu(entry->e_value_size);
> -	if (size > inode->i_sb->s_blocksize ||
> -	    le16_to_cpu(entry->e_value_offs) + size > inode->i_sb->s_blocksize)
> +	if (!ext2_xattr_entry_valid(entry, size, inode->i_sb->s_blocksize))
>  		goto bad_block;
>  
>  	if (ext2_xattr_cache_insert(ea_block_cache, bh))
> @@ -483,8 +496,8 @@ ext2_xattr_set(struct inode *inode, int name_index, const char *name,
>  		if (!here->e_value_block && here->e_value_size) {
>  			size_t size = le32_to_cpu(here->e_value_size);
>  
> -			if (le16_to_cpu(here->e_value_offs) + size > 
> -			    sb->s_blocksize || size > sb->s_blocksize)
> +			if (!ext2_xattr_entry_valid(here, size,
> +			    inode->i_sb->s_blocksize))
>  				goto bad_block;
>  			free += EXT2_XATTR_SIZE(size);
>  		}
> -- 
> 2.17.2
> 
> 
> 
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR