| Message ID | 20200630130438.141649-2-houtao1@huawei.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Richard Weinberger |
| Headers | show |
| Series | fixes for ubifs xattr operations | expand |
diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c index 9aefbb60074f..5591b9fa1d86 100644 --- a/fs/ubifs/xattr.c +++ b/fs/ubifs/xattr.c @@ -429,6 +429,12 @@ ssize_t ubifs_listxattr(struct dentry *dentry, char *buffer, size_t size) fname_len(&nm) = le16_to_cpu(xent->nlen); if (xattr_visible(xent->name)) { + if (size - written < fname_len(&nm) + 1) { + kfree(pxent); + kfree(xent); + return -ERANGE; + } + memcpy(buffer + written, fname_name(&nm), fname_len(&nm) + 1); written += fname_len(&nm) + 1; }
When there are concurrent xattr list and xattr write operations, it is possible xattr_names + xattr_cnt has been increased a lot by xattr write op since its last read in the begin of ubifs_listxattr(). So ubifs_listxattr() may find these newly updated or added xattrs, try to copy these xattr names regardless of the remaing buffer size, and lead to the corruption of buffer and assertion failure. Simply fixing it by checking the remaining size of name buffer before copying the xattr name. Signed-off-by: Hou Tao <houtao1@huawei.com> --- fs/ubifs/xattr.c | 6 ++++++ 1 file changed, 6 insertions(+)