From patchwork Tue Jun 30 13:04:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hou Tao X-Patchwork-Id: 1319868 X-Patchwork-Delegate: richard@nod.at Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=huawei.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=TeBitrCk; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49x4Ds1Mzlz9sTF for ; Tue, 30 Jun 2020 22:59:09 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-ID:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=bS0YkFfUEBneZ8flBxjyGPjopGOCHf3tMJ+xSL78pzo=; b=TeBitrCk9HIRes6gVfh98QdPs HmXuj1jqHGlcVxs0qLoJFyFvE2mShAXTMp6WqqG1N5/EJ3R1nRiifzsOie6MFt8zHVPqxyDD9HrrR OGGD10wBSrL7ahqWSMRReUf/EHkZ86UFq5rngaGbEUvGU7GQ8rlasQ8eRij0kGWGTsSR2zhH2z00B S7f9pjhK5Z53fITACRZ7/MwIszKxnaBpnF07gVtj/HZFa+tues+oR9wcukKFhA5dEkUPp4FC55ZnM rcGEfokUXmgh9cNTKwMRQbrHGjQ5ulyAwASyRGOIt177FjQNte4ppR6/4an+hscWNAI/owvlKUTLS XaPXBMkyA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1jqFpm-00089C-Ks; Tue, 30 Jun 2020 12:57:59 +0000 Received: from szxga04-in.huawei.com ([45.249.212.190] helo=huawei.com) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jqFpi-00087u-H6 for linux-mtd@lists.infradead.org; Tue, 30 Jun 2020 12:57:55 +0000 Received: from DGGEMS405-HUB.china.huawei.com (unknown [172.30.72.60]) by Forcepoint Email with ESMTP id D73AEEBB9A014284A02A; Tue, 30 Jun 2020 20:57:41 +0800 (CST) Received: from huawei.com (10.90.53.225) by DGGEMS405-HUB.china.huawei.com (10.3.19.205) with Microsoft SMTP Server id 14.3.487.0; Tue, 30 Jun 2020 20:57:36 +0800 From: Hou Tao To: Richard Weinberger , Subject: [PATCH 1/3] ubifs: check the remaining name buffer during xattr list Date: Tue, 30 Jun 2020 21:04:36 +0800 Message-ID: <20200630130438.141649-2-houtao1@huawei.com> X-Mailer: git-send-email 2.25.0.4.g0ad7144999 In-Reply-To: <20200630130438.141649-1-houtao1@huawei.com> References: <20200630130438.141649-1-houtao1@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.90.53.225] X-CFilter-Loop: Reflected X-Spam-Note: CRM114 invocation failed X-Spam-Score: -2.3 (--) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-2.3 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [45.249.212.190 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [45.249.212.190 listed in wl.mailspike.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: houtao1@huawei.com Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org When there are concurrent xattr list and xattr write operations, it is possible xattr_names + xattr_cnt has been increased a lot by xattr write op since its last read in the begin of ubifs_listxattr(). So ubifs_listxattr() may find these newly updated or added xattrs, try to copy these xattr names regardless of the remaing buffer size, and lead to the corruption of buffer and assertion failure. Simply fixing it by checking the remaining size of name buffer before copying the xattr name. Signed-off-by: Hou Tao --- fs/ubifs/xattr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c index 9aefbb60074f..5591b9fa1d86 100644 --- a/fs/ubifs/xattr.c +++ b/fs/ubifs/xattr.c @@ -429,6 +429,12 @@ ssize_t ubifs_listxattr(struct dentry *dentry, char *buffer, size_t size) fname_len(&nm) = le16_to_cpu(xent->nlen); if (xattr_visible(xent->name)) { + if (size - written < fname_len(&nm) + 1) { + kfree(pxent); + kfree(xent); + return -ERANGE; + } + memcpy(buffer + written, fname_name(&nm), fname_len(&nm) + 1); written += fname_len(&nm) + 1; }