Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3658770imm; Mon, 18 Jun 2018 01:43:56 -0700 (PDT) X-Google-Smtp-Source: ADUXVKK6wuNlvnCf1pDvcBy3pOqrhKNUIepiKv2kN2/qMM+sSsqE/St80gX/rHmyHdL5K92LyGwE X-Received: by 2002:a17:902:5597:: with SMTP id g23-v6mr12719900pli.99.1529311436852; Mon, 18 Jun 2018 01:43:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529311436; cv=none; d=google.com; s=arc-20160816; b=0A+/HgiXURRt/6T09YXsed2jzhZKZt9rhdI8LoTaGMUkh13EXnnGk7W3Vn6goW/poR tnnZN+L5RHtFsY1p3tTssiIVTzLlnxVDB0VCBln9ohxz1YzcKsrfRVNc8ZsH55Yqrn5+ kWMlerXgX/gMSKKaYBmRIWbQhhMShyIrxIh/vahcSIH14yOGFWHFApEbztuhO47fSuyb OiGxZLqP2K7GzBuPKMhMtpFkQWLzybWE1TT8s8J+fe/DDbZU5McOu4cLtCD1N1U1/SM2 VDIP0vNsEHyhfbeSj37j3QTI3uEyBgH6YsobfpiZ+VCmC22AdX2CE6mfHas7Yxeo0Umh Q8Ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=i+weOmNVcVan6dLhkgLWSDF947OJxd/j0Bnym463hDU=; b=xzKfhWCsfJTKBxAXVCUbezgaX2egsB+x8vSXWCXEEOZWiG9gcrSBWbXikvEDcQnfC5 dHoO63hKJGT0eDGvzLgr1oW73BtIj80e9NPeStxHgiMwuVDXZqky79AFxeaLY7yS7G2g 2v2+XElGcDspECxTM3z6PutHTLFq8rcIN0SPFW9uO3L25AOHqW/xlLnvtb6p/1swiWBy 77JKkc2FPwl1c4UHzQVTbhI9G47zdY9kYej3xo4Ruj3kgwadBupHMIkyXnI7rec/1eRf gn4E8Xb2InSiSMQKRfhmnkmRurToJDd+gvXUWTJhxGX0Yf2seFsUqqoD/C3tBjvfcFB6 pDnA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v4-v6si14146831pfk.116.2018.06.18.01.43.43; Mon, 18 Jun 2018 01:43:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S968291AbeFRIlu (ORCPT + 99 others); Mon, 18 Jun 2018 04:41:50 -0400 Received: from mx2.suse.de ([195.135.220.15]:60364 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S968197AbeFRIiO (ORCPT ); Mon, 18 Jun 2018 04:38:14 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (charybdis-ext-too.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id B962EAE5D; Mon, 18 Jun 2018 08:38:13 +0000 (UTC) From: Nikolay Borisov To: shaggy@kernel.org Cc: jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, shankarapailoor@gmail.com, Nikolay Borisov Subject: [PATCH] jfs: Fix buffer overrun in ea_get Date: Mon, 18 Jun 2018 11:38:11 +0300 Message-Id: <1529311091-8307-1-git-send-email-nborisov@suse.com> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Currently ea_buf->xattr buffer is allocated with min(min_size, ea_size). This is wrong since after the xattr buffer is allocated the ->max_size variable is actually rounded up to th next ->s_blocksize size. Fix this by using the rounded up max_size as input to the malloc. Suggested-by: Shankara Pailoor Reported-by: Shankara Pailoor CC: shankarapailoor@gmail.com Signed-off-by: Nikolay Borisov --- Hello David, I'm sending you the patch for the issue which was originally reported and suggested by Shankar. I won't usually got and override the original author of a patch but given the clear lack of experience with upstream (missing SOB line, no changelog explaining the change etc) and the fact there is already a CVE for this issue (using syzkaller for quick CVE generation seems to be all the rage these days, go figure...) I'd rather have an upstream, backportable version sooner rather than later. fs/jfs/xattr.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c index c60f3d32ee91..96b9355ff69a 100644 --- a/fs/jfs/xattr.c +++ b/fs/jfs/xattr.c @@ -493,14 +493,14 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size) * To keep the rest of the code simple. Allocate a * contiguous buffer to work with */ - ea_buf->xattr = kmalloc(size, GFP_KERNEL); - if (ea_buf->xattr == NULL) - return -ENOMEM; - ea_buf->flag = EA_MALLOC; ea_buf->max_size = (size + sb->s_blocksize - 1) & ~(sb->s_blocksize - 1); + ea_buf->xattr = kmalloc(ea_buf->max_size, GFP_KERNEL); + if (ea_buf->xattr == NULL) + return -ENOMEM; + if (ea_size == 0) return 0; -- 2.7.4