Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2232951imm; Thu, 18 Oct 2018 11:06:45 -0700 (PDT) X-Google-Smtp-Source: ACcGV60HzuRnqhydfxaM/LDnP6NP1FddQ/N8ygDIEmc1r5BGsYs6YTQLjF53+F0LBxbNgS06WkNR X-Received: by 2002:a17:902:b907:: with SMTP id bf7-v6mr31415618plb.127.1539886005600; Thu, 18 Oct 2018 11:06:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539886005; cv=none; d=google.com; s=arc-20160816; b=eSNXXma9XQUEt3Oo8V8dBw6jhlxeoc71UuG8PD5xaAyP7h+PaXWgPM2UJhgZm8xb0A kr5LFt+IPN7e1QCpUnQcBcAoCrdsMPuoMwLx0+Qmp88Q/LETWvhD9CJ8PEyAj2UL+euc vvaVkhFnGSB2FM2OhQJCqhWZDuMB12VATehBPX3whQWb39FuiT3Z1tB7bX+LIrTPJHII xnQo8d9BWXIDUoDxhfbYN5Msb2o4tlZs4UIrBOk2aimnNCMaoBAWK3mDWCqwCyURe0Ff P4YWj8HRA1tFwod7L543horD+BWlDDYci5vbJsmQTTArtE1mDA5tghv5SgA3i5RL1/B+ hieQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=XPog5CDDvhmxRuBRXm9CWZlt6FGuJ3Q8Uo2OmpbLyik=; b=OJWhuAz767HLjF/OjbMcBn0lJqqR1d1NhyKgTAy0/uSOXO1RF5G9W7plB/qOd0Hj0s 7WsEUTSFo1qXezBtN/whUd7SEOVxwWW4wpwKZwM3Lo5Hyge5CaBZN137F3+Byb+HVyrO J/PKE8O+lZE8vwybQ4WQW5Rx8RXhy5j4qUHYi1hctorbbgQyN181l4f/tuWSHPpODox5 hwVILDUQhQ654uN+B5YcPPgitPADJ7RM0OYhZZ5n3PdlmfF1yzkXqgFoRE1ThXe13l0N oohMf8IRMSfLVpKXH+KYQ1C3Q68/T0XwwUujTBxhDHnc29bZ/ZZqxA1+jYEXnGbIqgjl 3ZNw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=voB6pNjK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r134-v6si23622676pfc.202.2018.10.18.11.06.29; Thu, 18 Oct 2018 11:06:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=voB6pNjK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730233AbeJSCHT (ORCPT + 99 others); Thu, 18 Oct 2018 22:07:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:55912 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729855AbeJSCHT (ORCPT ); Thu, 18 Oct 2018 22:07:19 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5490321476; Thu, 18 Oct 2018 18:05:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539885911; bh=HT78kggpkgZyK93rkE3pvXdR6J7JBCt9GRb6MeRJn5Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=voB6pNjKosUqX3C5KUeY5uBbx3OC0/p/UEWFAHHAypfgy0sc80vgxHfomz20zMISg WLauvj7mLIs9ejaAuApv5f5Zsd04afx799NDAxiw04Q/QIvXPy+hNnp6fTZT0p5kbO CUOufaKbATsCsthOi6rpvm/MghGzV/vFb6EzQ5zA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hou Tao , David Woodhouse Subject: [PATCH 4.4 16/48] jffs2: return -ERANGE when xattr buffer is too small Date: Thu, 18 Oct 2018 19:54:51 +0200 Message-Id: <20181018175428.883959029@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181018175427.133690306@linuxfoundation.org> References: <20181018175427.133690306@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Hou Tao When a file have multiple xattrs and the passed buffer is smaller than the required size, jffs2_listxattr() should return -ERANGE instead of continue, else Oops may occur due to memory corruption. Also remove the unnecessary check ("rc < 0"), because xhandle->list(...) will not return an error number. Spotted by generic/377 in xfstests-dev. NB: The problem had been fixed by commit 764a5c6b1fa4 ("xattr handlers: Simplify list operation") in v4.5-rc1, but the modification in that commit may be too much because it modifies all file-systems which implement xattr, so I create a single patch for jffs2 to fix the problem. Signed-off-by: Hou Tao Cc: David Woodhouse Signed-off-by: Greg Kroah-Hartman --- fs/jffs2/xattr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/fs/jffs2/xattr.c +++ b/fs/jffs2/xattr.c @@ -1004,12 +1004,14 @@ ssize_t jffs2_listxattr(struct dentry *d rc = xhandle->list(xhandle, dentry, buffer + len, size - len, xd->xname, xd->name_len); + if (rc > size - len) { + rc = -ERANGE; + goto out; + } } else { rc = xhandle->list(xhandle, dentry, NULL, 0, xd->xname, xd->name_len); } - if (rc < 0) - goto out; len += rc; } rc = len;