tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

orangefs: validate getxattr response length

orangefs_inode_getxattr() trusts the userspace-client-controlled
downcall.resp.getxattr.val_sz and uses it as a memcpy() length
both for the temporary user buffer and the cached xattr buffer.
Reject malformed negative or oversized lengths before copying
response bytes.

Reported-by: Hyungjung Joo <jhj140711@gmail.com>
Signed-off-by: HyungJung Joo <jhj140711@gmail.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>

authored by

HyungJung Joo and committed by
Mike Marshall 092e0d0e 415e507c

+4
+4
fs/orangefs/xattr.c
··· 188 188 * Length returned includes null terminator. 189 189 */ 190 190 length = new_op->downcall.resp.getxattr.val_sz; 191 + if (length < 0 || length > ORANGEFS_MAX_XATTR_VALUELEN) { 192 + ret = -EIO; 193 + goto out_release_op; 194 + } 191 195 192 196 /* 193 197 * Just return the length of the queried attribute.