lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <bug-199185-13602-LlKOZpR00Y@https.bugzilla.kernel.org/>
Date:   Sun, 25 Mar 2018 07:00:10 +0000
From:   bugzilla-daemon@...zilla.kernel.org
To:     linux-ext4@...nel.org
Subject: [Bug 199185] Invalid pointer dereference in get_acl (fs/posix_acl.c)
 when mounting and operating crafted ext4 image

https://bugzilla.kernel.org/show_bug.cgi?id=199185

--- Comment #3 from Theodore Tso (tytso@....edu) ---
Thank you for the bug report.  The following should address the issue
you reported:

commit de57a63ea4389e39b1cdd1cef15e1ec9b58a964c
Author: Theodore Ts'o <tytso@....edu>
Date:   Sun Mar 25 02:58:44 2018 -0400

    ext4: add better range checking for e_value_size in xattrs

    https://bugzilla.kernel.org/show_bug.cgi?id=199185

    Reported-by: Wen Xu <wen.xu@...ech.edu>
    Signed-off-by: Theodore Ts'o <tytso@....edu>
    Cc: stable@...r.kernel.org

diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 63656dbafdc4..7604d750d234 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -523,10 +523,10 @@ ext4_xattr_block_get(struct inode *inode, int name_index,
const char *name,
        if (error)
                goto cleanup;
        size = le32_to_cpu(entry->e_value_size);
+       error = -ERANGE;
+       if (size < 0 || size > buffer_size)
+               goto cleanup;
        if (buffer) {
-               error = -ERANGE;
-               if (size > buffer_size)
-                       goto cleanup;
                if (entry->e_value_inum) {
                        error = ext4_xattr_inode_get(inode, entry, buffer,
                                                     size);
@@ -572,10 +572,10 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index,
const char *name,
        if (error)
                goto cleanup;
        size = le32_to_cpu(entry->e_value_size);
+       error = -ERANGE;
+       if (size < 0 || size > buffer_size)
+               goto cleanup;
        if (buffer) {
-               error = -ERANGE;
-               if (size > buffer_size)
-                       goto cleanup;
                if (entry->e_value_inum) {
                        error = ext4_xattr_inode_get(inode, entry, buffer,
                                                     size);

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ