[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1529311091-8307-1-git-send-email-nborisov@suse.com>
Date: Mon, 18 Jun 2018 11:38:11 +0300
From: Nikolay Borisov <nborisov@...e.com>
To: shaggy@...nel.org
Cc: jfs-discussion@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
shankarapailoor@...il.com, Nikolay Borisov <nborisov@...e.com>
Subject: [PATCH] jfs: Fix buffer overrun in ea_get
Currently ea_buf->xattr buffer is allocated with min(min_size, ea_size).
This is wrong since after the xattr buffer is allocated the ->max_size
variable is actually rounded up to th next ->s_blocksize size. Fix this
by using the rounded up max_size as input to the malloc.
Suggested-by: Shankara Pailoor <shankarapailoor@...il.com>
Reported-by: Shankara Pailoor <shankarapailoor@...il.com>
CC: shankarapailoor@...il.com
Signed-off-by: Nikolay Borisov <nborisov@...e.com>
---
Hello David,
I'm sending you the patch for the issue which was originally reported and
suggested by Shankar. I won't usually got and override the original
author of a patch but given the clear lack of experience with upstream (missing
SOB line, no changelog explaining the change etc) and the
fact there is already a CVE for this issue (using syzkaller for quick CVE
generation seems to be all the rage these days, go figure...) I'd rather have
an upstream, backportable version sooner rather than later.
fs/jfs/xattr.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
index c60f3d32ee91..96b9355ff69a 100644
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -493,14 +493,14 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size)
* To keep the rest of the code simple. Allocate a
* contiguous buffer to work with
*/
- ea_buf->xattr = kmalloc(size, GFP_KERNEL);
- if (ea_buf->xattr == NULL)
- return -ENOMEM;
-
ea_buf->flag = EA_MALLOC;
ea_buf->max_size = (size + sb->s_blocksize - 1) &
~(sb->s_blocksize - 1);
+ ea_buf->xattr = kmalloc(ea_buf->max_size, GFP_KERNEL);
+ if (ea_buf->xattr == NULL)
+ return -ENOMEM;
+
if (ea_size == 0)
return 0;
--
2.7.4
Powered by blists - more mailing lists