tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

xfs: fix a UAF problem in xattr repair

The xchk_setup_xattr_buf function can allocate a new value buffer, which
means that any reference to ab->value before the call could become a
dangling pointer. Fix this by moving an assignment to after the buffer
setup.

Cc: stable@vger.kernel.org # v6.10
Fixes: e47dcf113ae348 ("xfs: repair extended attributes")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>

authored by

Darrick J. Wong and committed by
Carlos Maiolino 5990fd75 2145f447

+1 -1
+1 -1
fs/xfs/scrub/attr_repair.c
··· 333 333 .attr_filter = ent->flags & XFS_ATTR_NSP_ONDISK_MASK, 334 334 .namelen = rentry->namelen, 335 335 .name = rentry->name, 336 - .value = ab->value, 337 336 .valuelen = be32_to_cpu(rentry->valuelen), 338 337 }; 339 338 unsigned int namesize; ··· 362 363 error = -EDEADLOCK; 363 364 if (error) 364 365 return error; 366 + args.value = ab->value; 365 367 366 368 /* Look up the remote value and stash it for reconstruction. */ 367 369 error = xfs_attr3_leaf_getvalue(leaf_bp, &args);