From patchwork Tue Jul 31 03:30:30 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Theodore Ts'o X-Patchwork-Id: 951358 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=linux-ext4-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=mit.edu Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=thunk.org header.i=@thunk.org header.b="WlzGoxyB"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41fhlx49cYz9ryn for ; Tue, 31 Jul 2018 13:30:37 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726626AbeGaFIl (ORCPT ); Tue, 31 Jul 2018 01:08:41 -0400 Received: from imap.thunk.org ([74.207.234.97]:45392 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726389AbeGaFIl (ORCPT ); Tue, 31 Jul 2018 01:08:41 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=FSk9mTItq9MH584VzQn2pMwUawB1yPTKMTGAoeGqqc0=; b=WlzGoxyBTOQv16OTqCglhuWoQn YWLHDB7vZeRy6Ncpi9dwYAXsvYjebDXtIl4ABaaQX8sHpg46r3BcTRoVo8Vt9D3WQNQuF5t2wpLQ6 q8yPKycTe2MyX/PZuuuUdFNOnOnJxyh/WqE/7Vv1DFCakk83LO8tK6PAGOt4zcJSt49Q=; Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.89) (envelope-from ) id 1fkLMo-0001ip-9Z; Tue, 31 Jul 2018 03:30:34 +0000 Received: by callcc.thunk.org (Postfix, from userid 15806) id AD75C7A614C; Mon, 30 Jul 2018 23:30:32 -0400 (EDT) From: Theodore Ts'o To: Ext4 Developers List Cc: wen.xu@gatech.edu, Theodore Ts'o Subject: [PATCH] ext4: check for NUL characters in extended attribute's name Date: Mon, 30 Jul 2018 23:30:30 -0400 Message-Id: <20180731033030.30004-1-tytso@mit.edu> X-Mailer: git-send-email 2.18.0.rc0 X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org Extended attribute names are defined to be NUL-terminated, so the name must not contain a NUL character. This is important because there are places when remove extended attribute, the code uses strlen to determine the length of the entry. That should probably be fixed at some point, but code is currently really messy, so the simplest fix for now is to simply validate that the extended attributes are sane. https://bugzilla.kernel.org/show_bug.cgi?id=200623 Reported-by: Wen Xu Signed-off-by: Theodore Ts'o --- fs/ext4/xattr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 723df14f4084..f36fc5d5b257 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -190,6 +190,8 @@ ext4_xattr_check_entries(struct ext4_xattr_entry *entry, void *end, struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(e); if ((void *)next >= end) return -EFSCORRUPTED; + if (strnlen(e->e_name, e->e_name_len) != e->e_name_len) + return -EFSCORRUPTED; e = next; }