diff mbox series

[1/3] ubifs: check the remaining name buffer during xattr list

Message ID 20200630130438.141649-2-houtao1@huawei.com
State New
Headers show
Series fixes for ubifs xattr operations | expand

Commit Message

Hou Tao June 30, 2020, 1:04 p.m. UTC
When there are concurrent xattr list and xattr write operations,
it is possible xattr_names + xattr_cnt has been increased a lot
by xattr write op since its last read in the begin of ubifs_listxattr().
So ubifs_listxattr() may find these newly updated or added xattrs,
try to copy these xattr names regardless of the remaing buffer size,
and lead to the corruption of buffer and assertion failure.

Simply fixing it by checking the remaining size of name buffer
before copying the xattr name.

Signed-off-by: Hou Tao <houtao1@huawei.com>
 fs/ubifs/xattr.c | 6 ++++++
 1 file changed, 6 insertions(+)
diff mbox series


diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c
index 9aefbb60074f..5591b9fa1d86 100644
--- a/fs/ubifs/xattr.c
+++ b/fs/ubifs/xattr.c
@@ -429,6 +429,12 @@  ssize_t ubifs_listxattr(struct dentry *dentry, char *buffer, size_t size)
 		fname_len(&nm) = le16_to_cpu(xent->nlen);
 		if (xattr_visible(xent->name)) {
+			if (size - written < fname_len(&nm) + 1) {
+				kfree(pxent);
+				kfree(xent);
+				return -ERANGE;
+			}
 			memcpy(buffer + written, fname_name(&nm), fname_len(&nm) + 1);
 			written += fname_len(&nm) + 1;