lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 12 Jun 2018 23:05:07 -0600
From:   Andreas Dilger <adilger@...ger.ca>
To:     Theodore Ts'o <tytso@....edu>
Cc:     Ext4 Developers List <linux-ext4@...r.kernel.org>,
        wen.xu@...ech.edu
Subject: Re: [PATCH 1/2] ext4: add corruption check in ext4_xattr_set_entry()

On Jun 12, 2018, at 10:52 PM, Theodore Ts'o <tytso@....edu> wrote:
> 
> In theory this should have been caught earlier when the xattr list was
> verified, but in case it got missed, it's simple enough to add check
> to make sure we don't overrun the xattr buffer.
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=200001
> 
> Signed-off-by: Theodore Ts'o <tytso@....edu>

Reviewed-by: Andreas Dilger <adilger@...ger.ca>

> ---
> fs/ext4/xattr.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
> index fc4ced59c565..230ba79715f6 100644
> --- a/fs/ext4/xattr.c
> +++ b/fs/ext4/xattr.c
> @@ -1560,7 +1560,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i,
> 				handle_t *handle, struct inode *inode,
> 				bool is_block)
> {
> -	struct ext4_xattr_entry *last;
> +	struct ext4_xattr_entry *last, *next;
> 	struct ext4_xattr_entry *here = s->here;
> 	size_t min_offs = s->end - s->base, name_len = strlen(i->name);
> 	int in_inode = i->in_inode;
> @@ -1595,7 +1595,13 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i,
> 
> 	/* Compute min_offs and last. */
> 	last = s->first;
> -	for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
> +	for (; !IS_LAST_ENTRY(last); last = next) {
> +		next = EXT4_XATTR_NEXT(last);
> +		if ((void *)next >= s->end) {
> +			EXT4_ERROR_INODE(inode, "corrupted xattr entries");
> +			ret = -EFSCORRUPTED;
> +			goto out;
> +		}
> 		if (!last->e_value_inum && last->e_value_size) {
> 			size_t offs = le16_to_cpu(last->e_value_offs);
> 			if (offs < min_offs)
> --
> 2.18.0.rc0
> 


Cheers, Andreas






Download attachment "signature.asc" of type "application/pgp-signature" (874 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ