Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp387601ybp;
        Tue, 8 Oct 2019 20:21:32 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxJglj8OBQfOYtv3KebVnw0WYU7crr12RKK5jNzhPiZrTwTBu7VA6sFBZEYsChgfz6g6rCu
X-Received: by 2002:a17:906:6406:: with SMTP id d6mr791606ejm.217.1570591292801;
        Tue, 08 Oct 2019 20:21:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570591292; cv=none;
        d=google.com; s=arc-20160816;
        b=gbcGGjn+zJ37nqv3mXSz1SMUV1GFdGjvD0JzFQHJ9M/vZLVdOZjMSk43JB+zkPGQ+O
         5aaAmfQK1eSt0qxo9pjN1DolqI99BruGJVlBXpWC7kCKgyP6DV2dn2yNVCVf1IFrreic
         x+uxTIzYd7yckiy/stN9aIpG0RPD7u9VkU2JBgE7vuHif8WNiSjBtz1xVN7Ly8h6rF1x
         uvmuk8uzkG2uqrjrTzOn8idbmGuqBPvq1pGAOHklpV6o5orckAPjI8II3Z67lUcbI8zH
         haYXQqky4aqtXeYf3a/DwGjYpMvBSfnFnKw/OF8aNydeZGEKmmHHNGm8j5IB6KNM4DzT
         MkZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:mime-version
         :message-id:date:dkim-signature;
        bh=//5Om/XvJWZ+udEKS9YxOJkf+X7Db3sKLHkQ/lC+RWM=;
        b=dDwk4EPT7hvdKgnJ4uXxizTTHdUqEraOl2iafvFfx9TNxLij1S3FTvcIUf805OBPZW
         RFh4Ws5a4HB/AGfA1rBiwlvNpdKAogA8ydkuqGzt/XAKroNq3iCVlHWmT3iZ3IgXL3ok
         5ShSZO7e0K1e8OBCM3RwYs8x6C6pyJMnz0CYMvKYrocCmqeiuXxyfVxko8OvobrtZe4o
         ltCe5hU0kjkgp2ieh6XhOYAECT29NM6QYuy6JjwMruN8YkJrtr0nah5j/cOr7pLNHHZt
         otjWftdkuay606wox944hN/FgViqt5mbEBzGPbQzSlBYx8nQoo6d+DUTmhavsPZX4HtJ
         nJIw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=o54gf+5a;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x30si547457edi.351.2019.10.08.20.21.09;
        Tue, 08 Oct 2019 20:21:32 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=o54gf+5a;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730410AbfJIDU2 (ORCPT <rfc822;radocaj.bane@gmail.com>
        + 99 others); Tue, 8 Oct 2019 23:20:28 -0400
Received: from mail-pg1-f202.google.com ([209.85.215.202]:38339 "EHLO
        mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726490AbfJIDU1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 Oct 2019 23:20:27 -0400
Received: by mail-pg1-f202.google.com with SMTP id j7so690080pgj.5
        for <linux-kernel@vger.kernel.org>; Tue, 08 Oct 2019 20:20:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=//5Om/XvJWZ+udEKS9YxOJkf+X7Db3sKLHkQ/lC+RWM=;
        b=o54gf+5aWdKfvI+AHUNpNBXeNjtTe200eLPmyr6FlwG3dJE2vLTfRwjsOBV8E1/65K
         IwO6CN5sWE3V73+pnV123sFvgITRCD26mt+DHCXnWKuj5heDgJDIHnjBAv6AL+z9Py3X
         4OMQvnkpWMPCLzbKKyoxRJLLWMrjZ9UjGJCPMyugBqfTDjS0hQ89G7O+474TB+UAA2NZ
         3soNbJs2d7npdXHKIhj93Qugh9DEbg7pdjH99OWrgaJY+GGkRDRKfAnWnlZVsmgeMne8
         cIDHvfZPbuyO+MhUyOrCSJLwv6MA1yJZXyy9SiyZUsqUPb3/m/srQcmTAYb1/xoSGuPq
         mytA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=//5Om/XvJWZ+udEKS9YxOJkf+X7Db3sKLHkQ/lC+RWM=;
        b=WoLlPa3eMwobssbd09ujtQfchI2VqaANBrdVkf385IPFpmv3va41UYbvggkb+rSohg
         IWZ2CTOsSP2PTQV1Vu6dvxcXLpjULfWNjTMzR+fLG4Oain3bBCFWLUksqtMOJ7xMt76R
         AFhyNPnn6gaArNKIZbeHATDUgGx0B1FXnRjv3PlRVsFjeVtqXyROv3EWyP9eCpzsTCPv
         fmx2WdRE1jLbqewWUYdzp6YRpahY62Kj1TEh4+Ui+8LDl9o4aQNGWLv5gbxXllWkJf3i
         ClijY0g88/cq5razaSrbNsku9uP+m8wnSA2XOLmSM+4qtSYUh9kYvgk0hmO9GzOshw91
         Qirg==
X-Gm-Message-State: APjAAAXBSisB7qr5jSwp6HYs2OpzkwnizMFQdr2GVOB2q8KWM0Dh6/Cy
        i6TOb6COXrNltlIYcVkqMjJC/5rOju+BBv5Ms6Y=
X-Received: by 2002:a63:495b:: with SMTP id y27mr1959951pgk.438.1570591225171;
 Tue, 08 Oct 2019 20:20:25 -0700 (PDT)
Date:   Wed,  9 Oct 2019 11:20:19 +0800
Message-Id: <20191009032019.6954-1-huangrandall@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.23.0.581.g78d2f28ef7-goog
Subject: [PATCH] f2fs: fix to avoid memory leakage in f2fs_listxattr
From:   Randall Huang <huangrandall@google.com>
To:     jaegeuk@kernel.org, yuchao0@huawei.com,
        linux-f2fs-devel@lists.sourceforge.net,
        linux-kernel@vger.kernel.org
Cc:     huangrandall@google.com
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In f2fs_listxattr, there is no boundary check before
memcpy e_name to buffer.
If the e_name_len is corrupted,
unexpected memory contents may be returned to the buffer.

Signed-off-by: Randall Huang <huangrandall@google.com>
---
 fs/f2fs/xattr.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
index b32c45621679..acc3663970cd 100644
--- a/fs/f2fs/xattr.c
+++ b/fs/f2fs/xattr.c
@@ -538,8 +538,9 @@ int f2fs_getxattr(struct inode *inode, int index, const char *name,
 ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size)
 {
 	struct inode *inode = d_inode(dentry);
+	nid_t xnid = F2FS_I(inode)->i_xattr_nid;
 	struct f2fs_xattr_entry *entry;
-	void *base_addr;
+	void *base_addr, *last_base_addr;
 	int error = 0;
 	size_t rest = buffer_size;
 
@@ -549,6 +550,8 @@ ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size)
 	if (error)
 		return error;
 
+	last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode);
+
 	list_for_each_xattr(entry, base_addr) {
 		const struct xattr_handler *handler =
 			f2fs_xattr_handler(entry->e_name_index);
@@ -559,6 +562,15 @@ ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size)
 		if (!handler || (handler->list && !handler->list(dentry)))
 			continue;
 
+		if ((void *)(entry) + sizeof(__u32) > last_base_addr ||
+			(void *)XATTR_NEXT_ENTRY(entry) > last_base_addr) {
+			f2fs_err(F2FS_I_SB(inode), "inode (%lu) has corrupted xattr",
+						inode->i_ino);
+			set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
+			error = -EFSCORRUPTED;
+			goto cleanup;
+		}
+
 		prefix = xattr_prefix(handler);
 		prefix_len = strlen(prefix);
 		size = prefix_len + entry->e_name_len + 1;
-- 
2.23.0.581.g78d2f28ef7-goog