Received: by 10.192.165.148 with SMTP id m20csp2429999imm; Sun, 22 Apr 2018 07:00:21 -0700 (PDT) X-Google-Smtp-Source: AIpwx48TlV/bM2+ZMxq+cE2H0dhFj5xNdF/MIennSel0DqKBfpyGkfuV2QZBQUN55mbN7RxSDRiM X-Received: by 2002:a17:902:6bc3:: with SMTP id m3-v6mr17090672plt.363.1524405621417; Sun, 22 Apr 2018 07:00:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524405621; cv=none; d=google.com; s=arc-20160816; b=vlUVx4NnP10b3NC/b5YvCXJXYA0xquP6omjDCjA7ewuXOLobdFTBkj8/Aw3SqB4FSS 4OsZiDIXIhqrSkzeRegvDuJaAJCF+rvAUBCQu4nt10rs/YAA8t+Sye79TfNemEh++VFP Mk67z6YpK5lySvOAuH2KTr5XAO1SXRKFtBYHdu6sy09HziITFYN3RH+pEZLsD7SNUSV1 bc1Jfgh6r42Bvwagj6dwv0ocQhuKWVMDnPbLOLv1Kn8X7WH1Ke9CdTRGqF6GzaujoGha FP2U+MTlKCHboczTrZhn9vcvIijDVc+h6gWZm202SzFvwZC1h8okyvM1rZ508ZYcWCZu 1mxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=K/zpIM4kdOUxle7VbggpwOubYavHHeZJLIqwA6EZi70=; b=l+g1t5Au/px4VpoQyY53rzuYLyFKgm4iP6xkd/yuxPo3SZegiaMPJlJjo+5Nx1QO4y Ty3tzBykDaQ9rlf6DJ0pmyvi6UMJDB6vGyRJANscMg7BCblKhsVRjgF91V10ANiGqaeX NXspvUv+RGiLeD3a3zUBAMM19lc5oWprdMMXVNmKMs9Cc0ZauRQI9GnUM4ZueJihCwro E14n5DIZSoSWHAj6qe1/4dj64dXf9TsOBiElUElG7yyp55gtdZ78eqeIKCBNX8obezLR mqZTxSXmU6k9DqSNXGQUSRv/qmZc0FoazjBe3Y3i3vVAMIITYUcQXcEJRgsXc3fShuyk n1Eg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u3-v6si10239708plj.338.2018.04.22.07.00.07; Sun, 22 Apr 2018 07:00:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754202AbeDVN6m (ORCPT + 99 others); Sun, 22 Apr 2018 09:58:42 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:46310 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753506AbeDVN6j (ORCPT ); Sun, 22 Apr 2018 09:58:39 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 4F4FBCD5; Sun, 22 Apr 2018 13:58:38 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Theodore Tso , stable@kernel.org Subject: [PATCH 4.16 097/196] ext4: add bounds checking to ext4_xattr_find_entry() Date: Sun, 22 Apr 2018 15:51:57 +0200 Message-Id: <20180422135109.289326160@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180422135104.278511750@linuxfoundation.org> References: <20180422135104.278511750@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Theodore Ts'o commit 9496005d6ca4cf8f5ee8f828165a8956872dc59d upstream. Add some paranoia checks to make sure we don't stray beyond the end of the valid memory region containing ext4 xattr entries while we are scanning for a match. Also rename the function to xattr_find_entry() since it is static and thus only used in fs/ext4/xattr.c Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman --- fs/ext4/xattr.c | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -276,18 +276,22 @@ errout: __xattr_check_inode((inode), (header), (end), __func__, __LINE__) static int -ext4_xattr_find_entry(struct ext4_xattr_entry **pentry, int name_index, - const char *name, int sorted) +xattr_find_entry(struct inode *inode, struct ext4_xattr_entry **pentry, + void *end, int name_index, const char *name, int sorted) { - struct ext4_xattr_entry *entry; + struct ext4_xattr_entry *entry, *next; size_t name_len; int cmp = 1; if (name == NULL) return -EINVAL; name_len = strlen(name); - entry = *pentry; - for (; !IS_LAST_ENTRY(entry); entry = EXT4_XATTR_NEXT(entry)) { + for (entry = *pentry; !IS_LAST_ENTRY(entry); entry = next) { + next = EXT4_XATTR_NEXT(entry); + if ((void *) next >= end) { + EXT4_ERROR_INODE(inode, "corrupted xattr entries"); + return -EFSCORRUPTED; + } cmp = name_index - entry->e_name_index; if (!cmp) cmp = name_len - entry->e_name_len; @@ -509,6 +513,7 @@ ext4_xattr_block_get(struct inode *inode struct buffer_head *bh = NULL; struct ext4_xattr_entry *entry; size_t size; + void *end; int error; struct mb_cache *ea_block_cache = EA_BLOCK_CACHE(inode); @@ -530,7 +535,8 @@ ext4_xattr_block_get(struct inode *inode goto cleanup; ext4_xattr_block_cache_insert(ea_block_cache, bh); entry = BFIRST(bh); - error = ext4_xattr_find_entry(&entry, name_index, name, 1); + end = bh->b_data + bh->b_size; + error = xattr_find_entry(inode, &entry, end, name_index, name, 1); if (error) goto cleanup; size = le32_to_cpu(entry->e_value_size); @@ -579,7 +585,7 @@ ext4_xattr_ibody_get(struct inode *inode if (error) goto cleanup; entry = IFIRST(header); - error = ext4_xattr_find_entry(&entry, name_index, name, 0); + error = xattr_find_entry(inode, &entry, end, name_index, name, 0); if (error) goto cleanup; size = le32_to_cpu(entry->e_value_size); @@ -1808,8 +1814,8 @@ ext4_xattr_block_find(struct inode *inod bs->s.first = BFIRST(bs->bh); bs->s.end = bs->bh->b_data + bs->bh->b_size; bs->s.here = bs->s.first; - error = ext4_xattr_find_entry(&bs->s.here, i->name_index, - i->name, 1); + error = xattr_find_entry(inode, &bs->s.here, bs->s.end, + i->name_index, i->name, 1); if (error && error != -ENODATA) goto cleanup; bs->s.not_found = error; @@ -2168,8 +2174,8 @@ int ext4_xattr_ibody_find(struct inode * if (error) return error; /* Find the named attribute. */ - error = ext4_xattr_find_entry(&is->s.here, i->name_index, - i->name, 0); + error = xattr_find_entry(inode, &is->s.here, is->s.end, + i->name_index, i->name, 0); if (error && error != -ENODATA) return error; is->s.not_found = error;