1 ext4: add corruption check in ext4_xattr_set_entry()
3 In theory this should have been caught earlier when the xattr list was
4 verified, but in case it got missed, it's simple enough to add check
5 to make sure we don't overrun the xattr buffer.
7 This addresses CVE-2018-10879.
9 https://bugzilla.kernel.org/show_bug.cgi?id=200001
11 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
12 Reviewed-by: Andreas Dilger <adilger@dilger.ca>
14 fs/ext4/xattr.c | 10 ++++++++--
15 1 file changed, 8 insertions(+), 2 deletions(-)
17 diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
18 index fc4ced59c565..230ba79715f6 100644
21 @@ -1560,7 +1560,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i,
22 handle_t *handle, struct inode *inode,
25 - struct ext4_xattr_entry *last;
26 + struct ext4_xattr_entry *last, *next;
27 struct ext4_xattr_entry *here = s->here;
28 size_t min_offs = s->end - s->base, name_len = strlen(i->name);
29 int in_inode = i->in_inode;
30 @@ -1595,7 +1595,13 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i,
32 /* Compute min_offs and last. */
34 - for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
35 + for (; !IS_LAST_ENTRY(last); last = next) {
36 + next = EXT4_XATTR_NEXT(last);
37 + if ((void *)next >= s->end) {
38 + EXT4_ERROR_INODE(inode, "corrupted xattr entries");
39 + ret = -EFSCORRUPTED;
42 if (!last->e_value_inum && last->e_value_size) {
43 size_t offs = le16_to_cpu(last->e_value_offs);