| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 7 Dec 2022 15:40:39 +0800
From: Ye Bin <yebin@...weicloud.com>
To: tytso@....edu, adilger.kernel@...ger.ca, linux-ext4@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, jack@...e.cz,
Ye Bin <yebin10@...wei.com>
Subject: [PATCH v2 2/6] ext4: add primary check extended attribute inode in ext4_xattr_check_entries()
From: Ye Bin <yebin10@...wei.com>
Add primary check for extended attribute inode, only do hash check when read
ea_inode's data in ext4_xattr_inode_get().
Signed-off-by: Ye Bin <yebin10@...wei.com>
---
fs/ext4/xattr.c | 41 ++++++++++++++++++++++++++++++++++++-----
1 file changed, 36 insertions(+), 5 deletions(-)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 718ef3987f94..eed001eee3ec 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -83,6 +83,9 @@ static __le32 ext4_xattr_hash_entry(char *name, size_t name_len, __le32 *value,
size_t value_count);
static void ext4_xattr_rehash(struct ext4_xattr_header *);
+static int ext4_xattr_inode_iget(struct inode *parent, unsigned long ea_ino,
+ u32 ea_inode_hash, struct inode **ea_inode);
+
static const struct xattr_handler * const ext4_xattr_handler_map[] = {
[EXT4_XATTR_INDEX_USER] = &ext4_xattr_user_handler,
#ifdef CONFIG_EXT4_FS_POSIX_ACL
@@ -181,9 +184,32 @@ ext4_xattr_handler(int name_index)
return handler;
}
+static inline int ext4_xattr_check_extra_inode(struct inode *inode,
+ struct ext4_xattr_entry *entry)
+{
+ int err;
+ struct inode *ea_inode;
+
+ err = ext4_xattr_inode_iget(inode, le32_to_cpu(entry->e_value_inum),
+ le32_to_cpu(entry->e_hash), &ea_inode);
+ if (err)
+ return err;
+
+ if (i_size_read(ea_inode) != le32_to_cpu(entry->e_value_size)) {
+ ext4_warning_inode(ea_inode,
+ "ea_inode file size=%llu entry size=%u",
+ i_size_read(ea_inode),
+ le32_to_cpu(entry->e_value_size));
+ err = -EFSCORRUPTED;
+ }
+ iput(ea_inode);
+
+ return err;
+}
+
static int
-ext4_xattr_check_entries(struct ext4_xattr_entry *entry, void *end,
- void *value_start)
+ext4_xattr_check_entries(struct inode *inode, struct ext4_xattr_entry *entry,
+ void *end, void *value_start)
{
struct ext4_xattr_entry *e = entry;
@@ -221,6 +247,10 @@ ext4_xattr_check_entries(struct ext4_xattr_entry *entry, void *end,
size > end - value ||
EXT4_XATTR_SIZE(size) > end - value)
return -EFSCORRUPTED;
+ } else if (entry->e_value_inum) {
+ int err = ext4_xattr_check_extra_inode(inode, entry);
+ if (err)
+ return err;
}
entry = EXT4_XATTR_NEXT(entry);
}
@@ -243,8 +273,8 @@ __ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh,
error = -EFSBADCRC;
if (!ext4_xattr_block_csum_verify(inode, bh))
goto errout;
- error = ext4_xattr_check_entries(BFIRST(bh), bh->b_data + bh->b_size,
- bh->b_data);
+ error = ext4_xattr_check_entries(inode, BFIRST(bh),
+ bh->b_data + bh->b_size, bh->b_data);
errout:
if (error)
__ext4_error_inode(inode, function, line, 0, -error,
@@ -268,7 +298,8 @@ __xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
if (end - (void *)header < sizeof(*header) + sizeof(u32) ||
(header->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC)))
goto errout;
- error = ext4_xattr_check_entries(IFIRST(header), end, IFIRST(header));
+ error = ext4_xattr_check_entries(inode, IFIRST(header), end,
+ IFIRST(header));
errout:
if (error)
__ext4_error_inode(inode, function, line, 0, -error,
--
2.31.1
Powered by blists - more mailing lists