Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp4457069ybz; Tue, 28 Apr 2020 11:36:46 -0700 (PDT) X-Google-Smtp-Source: APiQypK0MVHmfVfMcEqmQ7d3w84h5orcUK2lIWgT5AfWhwjJT8TTXxXC71dZgD6RBnPj3lpAnwka X-Received: by 2002:a17:906:d14b:: with SMTP id br11mr26763230ejb.213.1588099005877; Tue, 28 Apr 2020 11:36:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588099005; cv=none; d=google.com; s=arc-20160816; b=1JYfwNkmCkgZxsvQw/lIto3ZSCyv5ePbZi1iwL5GAeE20ZMUUKbOp6+UV+OEO51cay IQG0gekoU41G56GV0bisbdsL1nIPGzF3EHw09mZK7+LdnBZno9mAb+3QaHBnRw9y/rc/ iFBK9ZLLh1WiMqrn1sb77Quwyv6TYpxKsbiPTeC2QLoi142iREPoOdv2joTofBwRdXOI qZSC+w1XvqtSkvdD0DX784p9RbCXw4s1Vpu7NDBSlTfyrIZOQTHKSRgmzwUcficfOHdc X/IaywjMSaExlypEs52E35J2Q5Drdf9G2Mg5GBCful0RnDd42HO2SRO4mB8EU2Hh6VOE 8emg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=3OUDMs8o/KrzFFCO+wRuT2YN6gS8Q9Xcf9ujk4GoBV8=; b=bzd5Z1loldhXfW0T3zOV85EvXaGnfFNwz/qFekaRW41Evx7Nw0K1ooKemJ5RziGRWy MOgJKFnEEV0R+mmF/4qiBDqX8NxK5t7fpwMqs6EoRWa7ujiRF9i0TBc1j5W9pPOW1g6b 3sSHEJ/sPlD4kbEd5097FjoCMf/ljUxY6zoaUTe4F8QXOfgMq0bkxm5LvQh0V6c+cO4p IUik0/YsAAziMz/xnTQcmGZq1DAtDs+8GtgAawUrM2XWf8FpN/tP+fQVn/E5g/AJ0qhf mrluyC6+QRMYuUGjQwOYUaFXhCypTfKJPhCH8vFI2dvJ70QLiyLn6GytMSxhubXL5PFY LuYQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ijajdxOd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h2si2368350edl.564.2020.04.28.11.36.22; Tue, 28 Apr 2020 11:36:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ijajdxOd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729739AbgD1Sbt (ORCPT + 99 others); Tue, 28 Apr 2020 14:31:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:47480 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729717AbgD1Sbp (ORCPT ); Tue, 28 Apr 2020 14:31:45 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 716A02176D; Tue, 28 Apr 2020 18:31:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588098704; bh=Q8sCDerqS6rityV7Avt0cCY55uZMs6aiOFcpfWnyRCo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ijajdxOdp6e+H11XRIplquHmtNB3qVGX75xXuqMLNR6D5D69paVJlHGdvW89nO8bn OckfklLw0gZ21nEjeqaiflZcZFfRx2Rc5YXTJhRKL3oLaT/VxrD9Bmc9/7chftyiPI /22+9TDbjJFdkWTIpkokQB7kP+zBLlmPC7wHYDk0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Randall Huang , Chao Yu , Jaegeuk Kim , Ben Hutchings Subject: [PATCH 5.4 002/168] f2fs: fix to avoid memory leakage in f2fs_listxattr Date: Tue, 28 Apr 2020 20:22:56 +0200 Message-Id: <20200428182232.025314631@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200428182231.704304409@linuxfoundation.org> References: <20200428182231.704304409@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Randall Huang commit 688078e7f36c293dae25b338ddc9e0a2790f6e06 upstream. In f2fs_listxattr, there is no boundary check before memcpy e_name to buffer. If the e_name_len is corrupted, unexpected memory contents may be returned to the buffer. Signed-off-by: Randall Huang Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- fs/f2fs/xattr.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) --- a/fs/f2fs/xattr.c +++ b/fs/f2fs/xattr.c @@ -539,8 +539,9 @@ out: ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) { struct inode *inode = d_inode(dentry); + nid_t xnid = F2FS_I(inode)->i_xattr_nid; struct f2fs_xattr_entry *entry; - void *base_addr; + void *base_addr, *last_base_addr; int error = 0; size_t rest = buffer_size; @@ -550,6 +551,8 @@ ssize_t f2fs_listxattr(struct dentry *de if (error) return error; + last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode); + list_for_each_xattr(entry, base_addr) { const struct xattr_handler *handler = f2fs_xattr_handler(entry->e_name_index); @@ -557,6 +560,15 @@ ssize_t f2fs_listxattr(struct dentry *de size_t prefix_len; size_t size; + if ((void *)(entry) + sizeof(__u32) > last_base_addr || + (void *)XATTR_NEXT_ENTRY(entry) > last_base_addr) { + f2fs_err(F2FS_I_SB(inode), "inode (%lu) has corrupted xattr", + inode->i_ino); + set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK); + error = -EFSCORRUPTED; + goto cleanup; + } + if (!handler || (handler->list && !handler->list(dentry))) continue;