Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp2593417lqo; Tue, 14 May 2024 03:41:25 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXz7BkFMAVOMcV2Rw6/LfXwYOulzLRa3BWDQzg+ddtt54pJmEpX6WdihrpfTV9z8hHvpwneuMHK0dsewCLLl7FzmBF7L7jgTNjUSETU+g== X-Google-Smtp-Source: AGHT+IHN0MjC/dDudlMH57qbmgp3cWDqtB7yqcI/PFlIxosm4skMWi7lpcfnf3+N5/GwPxzXcMRN X-Received: by 2002:a0d:ebc7:0:b0:61b:3356:be1e with SMTP id 00721157ae682-622affa6abdmr117027917b3.20.1715683285360; Tue, 14 May 2024 03:41:25 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715683285; cv=pass; d=google.com; s=arc-20160816; b=oQxLhBiKe+CaLEJEn52+8lCXewSWlUc53SHgGOyVdl1+/I7Kfcz8Ycr6opjfjXBPkc WrzkPa+Tmp9WqASmJV9Z7bO6ZyQioV5sI18/gm9fRj2MZrwtzbyaj8LMVonEuCfQiOXD AibUzkMOCDFU+9bUXxJ7faHuPb0nJjeei14wHj/yfoCq7U8kFKGLbWLREAk9ekqW/R9Y Ppoh28xLCTZBSwFFRUfki8DFndoH86H91Z/YsYv8VA83uEoPfTNyNnnZmo0bgKUuIdbc McdCFAZgzZACjG4EqbsxlKO+LyapzlaqxRdbV5IDRa78U9UcH/4P9AjqyIHI3u/VF+kG Bw+A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:lines:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=8WGuI/Y1qcoI4DX9tBlnYKN3CxLRBJ4u/NdndLihEuA=; fh=hRJppRhrdA1Zumb25EzCUNr/6CFtgFS4TltHrzz5+u8=; b=yaTzXGQGCMq+lg70sjPcBNkzNDkLMglo8FnP9HjrAvt/Wl56AO8oDG/ewhqcmQ037A FM01/oDEqWkV0BN78QyCcvJoWXg06fX3+4qegNyZwe51bPnNmbWn0J+1AO5emad1ucpK r5iPZB67/wCweDd41QUJD22bk4Xj/r0ly9LhElPVTIGQ5FbvuK+R2Pqfou+8EdatcEIJ I9iiLFCR+QjqsT+XwIEQzlxkV1buPFRt3hUJithOkzA/lluxGxrO8J24ho51vkdc8o11 gB7LsZ1bS/ZAdxGEjx7LDVrrXyaMWTy1A/Kek17sVtkpl2VZfPr2n1/NNmOCSJ9AN135 Wi0Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mMOcalef; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-178542-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-178542-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id d75a77b69052e-43e120c2cafsi57669411cf.444.2024.05.14.03.41.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 May 2024 03:41:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-178542-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mMOcalef; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-178542-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-178542-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 164511C21031 for ; Tue, 14 May 2024 10:41:25 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 712CB13D60F; Tue, 14 May 2024 10:06:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="mMOcalef" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 940B213AA4E for ; Tue, 14 May 2024 10:06:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715681203; cv=none; b=gS8kXNsl89LiiujVfwnI/lvWr7pRi0ScR1Auq8kLtsRzzwpYu/aSVT+gqmbltuvou1oOyrV+Jftslps6R6FZD39Pzyoe1YmEtfMk5773VdtxkRtYs57aAXHT5X5c2pSoWgl0tAGMXWoNHcrQTBYix+lI+4qH5FBKgghOAZ12ac8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715681203; c=relaxed/simple; bh=ZZGB3QQLbx9thwXnWrDjUTHhrcBF4DS6mic9U+ZCYqk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=DUmxtXmXlTlahIz8tGQP5ekIs3Zx4nyB9AfiLFAWIhYMgZjlmmmhjYn6cdZAfXZENqpiZC6LccPa2cbdW5xM5vCZJcSumKiAPpAuKt6W3d7vKOmfuKys+rWiSCDwWuIP/LV2OMN9/Wzm0Gi8A7VrGUGhz2NesVNVwo4fKyK21WU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=mMOcalef; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8C607C2BD10; Tue, 14 May 2024 10:06:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1715681203; bh=ZZGB3QQLbx9thwXnWrDjUTHhrcBF4DS6mic9U+ZCYqk=; h=From:To:Cc:Subject:Date:From; b=mMOcalef94Gh7a4egYXlueneWoXw30OU3pbBDxR3l8zG7ZbOpnl8fcldb62LJLynq YhMYcB6MpyGOdBELmjE1IOpVb8hUgk9JyeOcvI4VldNR3q7HWx+jJK1uVmOAb+Cbzv 7275LoXGYGtdfnc0x9NNM0anf28AjFyyUjnWerr0= From: Greg Kroah-Hartman To: jfs-discussion@lists.sourceforge.net Cc: linux-kernel@vger.kernel.org, Greg Kroah-Hartman , syzbot+9dfe490c8176301c1d06@syzkaller.appspotmail.com, Dave Kleikamp Subject: [PATCH] jfs: xattr: fix buffer overflow for invalid xattr Date: Tue, 14 May 2024 12:06:34 +0200 Message-ID: <2024051433-slider-cloning-98f9@gregkh> X-Mailer: git-send-email 2.45.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Lines: 34 X-Developer-Signature: v=1; a=openpgp-sha256; l=1239; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=ZZGB3QQLbx9thwXnWrDjUTHhrcBF4DS6mic9U+ZCYqk=; b=owGbwMvMwCRo6H6F97bub03G02pJDGnO5qv+b1nnWaSilLdEzibVtaXv8oadskYB7Qu7DRaG3 fGu5t/UEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABP5f4hhNrvzNc2T0jbeNbJv vpZpn7rxaeG72wwLdhQ2sfvOuvJ2L/dlsbrGm7/E79b3AwA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit When an xattr size is not what is expected, it is printed out to the kernel log in hex format as a form of debugging. But when that xattr size is bigger than the expected size, printing it out can cause an access off the end of the buffer. Fix this all up by properly restricting the size of the debug hex dump in the kernel log. Reported-by: syzbot+9dfe490c8176301c1d06@syzkaller.appspotmail.com Cc: Dave Kleikamp Signed-off-by: Greg Kroah-Hartman --- fs/jfs/xattr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c index 0fb7afac298e..9987055293b3 100644 --- a/fs/jfs/xattr.c +++ b/fs/jfs/xattr.c @@ -557,9 +557,11 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size) size_check: if (EALIST_SIZE(ea_buf->xattr) != ea_size) { + int size = min_t(int, EALIST_SIZE(ea_buf->xattr), ea_size); + printk(KERN_ERR "ea_get: invalid extended attribute\n"); print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1, - ea_buf->xattr, ea_size, 1); + ea_buf->xattr, size, 1); ea_release(inode, ea_buf); rc = -EIO; goto clean_up; -- 2.45.0