| Message ID | 20180902153540.15343-1-cgxu519@gmx.com |
|---|---|
| State | Rejected |
| Headers | show |
| Series | ext4: add additinal sanity check for ext4_acl_from_disk() | expand |
On Sun, Sep 02, 2018 at 11:35:40PM +0800, Chengguang Xu wrote: > In the case ACL_USER and ACL_GROUP we check if value has exceeded end, > add same check in the case ACL_OTHER as well. > > Signed-off-by: Chengguang Xu <cgxu519@gmx.com> As Jan pointed out with the ext2 version of this patch, the check is done earlier in the for loop (in order to make sure it's safe to dereference entry->e_tag and entry->e_perm). - Ted
diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c index fb50f9aa6ead..9785a559337b 100644 --- a/fs/ext4/acl.c +++ b/fs/ext4/acl.c @@ -52,6 +52,8 @@ ext4_acl_from_disk(const void *value, size_t size) case ACL_OTHER: value = (char *)value + sizeof(ext4_acl_entry_short); + if ((char *)value > end) + goto fail; break; case ACL_USER:
In the case ACL_USER and ACL_GROUP we check if value has exceeded end, add same check in the case ACL_OTHER as well. Signed-off-by: Chengguang Xu <cgxu519@gmx.com> --- fs/ext4/acl.c | 2 ++ 1 file changed, 2 insertions(+)