Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp5524132ybp; Tue, 15 Oct 2019 00:31:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqzKqWGeF1+soD1ve9A2tm0VyIkXufXM503w/RJ2HjJ699GIUybsGdCp6aNYRM+DW4Cx6SK8 X-Received: by 2002:aa7:c70d:: with SMTP id i13mr31842825edq.214.1571124696583; Tue, 15 Oct 2019 00:31:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571124696; cv=none; d=google.com; s=arc-20160816; b=McmVEip8RL298MieclHeMUgFF8bxMwf83YvRiRDiyXL3usgsG4t3vs4Hw7JP/vNFZl zWZMVCXko91+zAtglXT+EuVxjCtcHv/rehT2Kf0uyi/+RxArqHJROecSaAZMqIBfIapn kvKtP/3DrYKKFKEds9BQKJ6R9UBUiFUv+8Kk7itFbMo7X6oB/Z1H/b7DurMbJwCGU/o5 lH2OHaoOT8S44IOR0V1kRz/J3jO4wMCQqD49oqVeIGpGSzIYavxSFTU/7yPykenS/o34 L0XROwuc/1VQiCuhn8pXvZY+XIwXyHJuHJR15evf0/33dIo4ioBBG7VTZXD9VsFWpTQt i+Wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject; bh=lLqQWojud1hhDZlPwdTMpqtuSuyLuHNRK5rXScU73Jk=; b=gQRmcqASS9T37CUl0dBg7BzI29FUVAA3E2UdMzU3sDFJ8zAsmc6nwHtKheuLI2Mb+6 0NLidEVFSZlsaCqLq6lF731zfbAldgRkh//JaNwGcHsUMe2mw9OAlEforDmLTxZKOVSt yOBn1g5F5phJ2NBdqFwNnx4OkvrCsYReoht4gh1haVj8WAdfBNPipGijOiwHEeCEya/m l3CzG3v5tR0CWMoCNt20M6dRETTOr3qzS6hgk/+UDwWL/cSedVgww/EMLUknp72Q4+FR frkC+KmIbBd8eXdR3t5TRL4YhTHJgQXkgVCAEVR1/dB43FbdM1b9FRx0NNbUmqN2WvQ4 4GPA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h17si14221448edb.89.2019.10.15.00.31.13; Tue, 15 Oct 2019 00:31:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727422AbfJOHWU (ORCPT + 99 others); Tue, 15 Oct 2019 03:22:20 -0400 Received: from szxga05-in.huawei.com ([45.249.212.191]:3757 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725802AbfJOHWU (ORCPT ); Tue, 15 Oct 2019 03:22:20 -0400 Received: from DGGEMS405-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 9F6AA85273C0512E6435; Tue, 15 Oct 2019 15:22:17 +0800 (CST) Received: from [10.134.22.195] (10.134.22.195) by smtp.huawei.com (10.3.19.205) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 15 Oct 2019 15:22:14 +0800 Subject: Re: [PATCH] f2fs: fix to avoid memory leakage in f2fs_listxattr To: Randall Huang , , , References: <20191009032019.6954-1-huangrandall@google.com> From: Chao Yu Message-ID: Date: Tue, 15 Oct 2019 15:22:13 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20191009032019.6954-1-huangrandall@google.com> Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.134.22.195] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Randall, On 2019/10/9 11:20, Randall Huang wrote: > In f2fs_listxattr, there is no boundary check before > memcpy e_name to buffer. > If the e_name_len is corrupted, > unexpected memory contents may be returned to the buffer. > > Signed-off-by: Randall Huang > --- > fs/f2fs/xattr.c | 14 +++++++++++++- > 1 file changed, 13 insertions(+), 1 deletion(-) > > diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c > index b32c45621679..acc3663970cd 100644 > --- a/fs/f2fs/xattr.c > +++ b/fs/f2fs/xattr.c > @@ -538,8 +538,9 @@ int f2fs_getxattr(struct inode *inode, int index, const char *name, > ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) > { > struct inode *inode = d_inode(dentry); > + nid_t xnid = F2FS_I(inode)->i_xattr_nid; > struct f2fs_xattr_entry *entry; > - void *base_addr; > + void *base_addr, *last_base_addr; > int error = 0; > size_t rest = buffer_size; > > @@ -549,6 +550,8 @@ ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) > if (error) > return error; > > + last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode); > + > list_for_each_xattr(entry, base_addr) { > const struct xattr_handler *handler = > f2fs_xattr_handler(entry->e_name_index); > @@ -559,6 +562,15 @@ ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) > if (!handler || (handler->list && !handler->list(dentry))) > continue; > > + if ((void *)(entry) + sizeof(__u32) > last_base_addr || > + (void *)XATTR_NEXT_ENTRY(entry) > last_base_addr) { > + f2fs_err(F2FS_I_SB(inode), "inode (%lu) has corrupted xattr", > + inode->i_ino); > + set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK); > + error = -EFSCORRUPTED; > + goto cleanup; > + } Could you relocate sanity check to the place before we check handler? As I'm thinking we should always check validation of current entry before using its field (entry->index). Thanks, > + > prefix = xattr_prefix(handler); > prefix_len = strlen(prefix); > size = prefix_len + entry->e_name_len + 1; >