summaryrefslogtreecommitdiff
path: root/fs/ext4
diff options
context:
space:
mode:
authorEric Biggers <ebiggers@google.com>2018-03-29 14:31:42 -0400
committerTheodore Ts'o <tytso@mit.edu>2018-03-29 14:31:42 -0400
commitce3fd194fcc6fbdc00ce095a852f22df97baa401 (patch)
tree253d8a212f3e27bf2fc56e8176a4b44f8e15c944 /fs/ext4
parent7dac4a1726a9c64a517d595c40e95e2d0d135f6f (diff)
ext4: limit xattr size to INT_MAX
ext4 isn't validating the sizes of xattrs where the value of the xattr is stored in an external inode. This is problematic because ->e_value_size is a u32, but ext4_xattr_get() returns an int. A very large size is misinterpreted as an error code, which ext4_get_acl() translates into a bogus ERR_PTR() for which IS_ERR() returns false, causing a crash. Fix this by validating that all xattrs are <= INT_MAX bytes. This issue has been assigned CVE-2018-1095. https://bugzilla.kernel.org/show_bug.cgi?id=199185 https://bugzilla.redhat.com/show_bug.cgi?id=1560793 Reported-by: Wen Xu <wen.xu@gatech.edu> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@vger.kernel.org Fixes: e50e5129f384 ("ext4: xattr-in-inode support")
Diffstat (limited to 'fs/ext4')
-rw-r--r--fs/ext4/xattr.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 63656dbafdc4..2077d87b09f2 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -195,10 +195,13 @@ ext4_xattr_check_entries(struct ext4_xattr_entry *entry, void *end,
/* Check the values */
while (!IS_LAST_ENTRY(entry)) {
- if (entry->e_value_size != 0 &&
- entry->e_value_inum == 0) {
+ u32 size = le32_to_cpu(entry->e_value_size);
+
+ if (size > INT_MAX)
+ return -EFSCORRUPTED;
+
+ if (size != 0 && entry->e_value_inum == 0) {
u16 offs = le16_to_cpu(entry->e_value_offs);
- u32 size = le32_to_cpu(entry->e_value_size);
void *value;
/*