From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, lei lu <llfamsec@gmail.com>,
Dave Kleikamp <dave.kleikamp@oracle.com>
Subject: [PATCH 6.1 04/13] jfs: dont walk off the end of ealist
Date: Thu, 25 Jul 2024 16:37:13 +0200 [thread overview]
Message-ID: <20240725142728.200427513@linuxfoundation.org> (raw)
In-Reply-To: <20240725142728.029052310@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: lei lu <llfamsec@gmail.com>
commit d0fa70aca54c8643248e89061da23752506ec0d4 upstream.
Add a check before visiting the members of ea to
make sure each ea stays within the ealist.
Signed-off-by: lei lu <llfamsec@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jfs/xattr.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -797,7 +797,7 @@ ssize_t __jfs_getxattr(struct inode *ino
size_t buf_size)
{
struct jfs_ea_list *ealist;
- struct jfs_ea *ea;
+ struct jfs_ea *ea, *ealist_end;
struct ea_buffer ea_buf;
int xattr_size;
ssize_t size;
@@ -817,9 +817,16 @@ ssize_t __jfs_getxattr(struct inode *ino
goto not_found;
ealist = (struct jfs_ea_list *) ea_buf.xattr;
+ ealist_end = END_EALIST(ealist);
/* Find the named attribute */
- for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist); ea = NEXT_EA(ea))
+ for (ea = FIRST_EA(ealist); ea < ealist_end; ea = NEXT_EA(ea)) {
+ if (unlikely(ea + 1 > ealist_end) ||
+ unlikely(NEXT_EA(ea) > ealist_end)) {
+ size = -EUCLEAN;
+ goto release;
+ }
+
if ((namelen == ea->namelen) &&
memcmp(name, ea->name, namelen) == 0) {
/* Found it */
@@ -834,6 +841,7 @@ ssize_t __jfs_getxattr(struct inode *ino
memcpy(data, value, size);
goto release;
}
+ }
not_found:
size = -ENODATA;
release:
@@ -861,7 +869,7 @@ ssize_t jfs_listxattr(struct dentry * de
ssize_t size = 0;
int xattr_size;
struct jfs_ea_list *ealist;
- struct jfs_ea *ea;
+ struct jfs_ea *ea, *ealist_end;
struct ea_buffer ea_buf;
down_read(&JFS_IP(inode)->xattr_sem);
@@ -876,9 +884,16 @@ ssize_t jfs_listxattr(struct dentry * de
goto release;
ealist = (struct jfs_ea_list *) ea_buf.xattr;
+ ealist_end = END_EALIST(ealist);
/* compute required size of list */
- for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist); ea = NEXT_EA(ea)) {
+ for (ea = FIRST_EA(ealist); ea < ealist_end; ea = NEXT_EA(ea)) {
+ if (unlikely(ea + 1 > ealist_end) ||
+ unlikely(NEXT_EA(ea) > ealist_end)) {
+ size = -EUCLEAN;
+ goto release;
+ }
+
if (can_list(ea))
size += name_size(ea) + 1;
}
next prev parent reply other threads:[~2024-07-25 14:45 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-25 14:37 [PATCH 6.1 00/13] 6.1.102-rc1 review Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 01/13] drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 02/13] f2fs: avoid dead loop in f2fs_issue_checkpoint() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 03/13] ocfs2: add bounds checking to ocfs2_check_dir_entry() Greg Kroah-Hartman
2024-07-25 14:37 ` Greg Kroah-Hartman [this message]
2024-07-25 14:37 ` [PATCH 6.1 05/13] fs/ntfs3: Validate ff offset Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 06/13] ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 07/13] ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 08/13] arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 09/13] arm64: dts: qcom: ipq6018: " Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 10/13] arm64: dts: qcom: sdm630: " Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 11/13] ALSA: pcm_dmaengine: Dont synchronize DMA channel when DMA is paused Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 12/13] filelock: Fix fcntl/close race recovery compat path Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 13/13] btrfs: do not BUG_ON on failure to get dir index for new snapshot Greg Kroah-Hartman
2024-07-25 19:34 ` [PATCH 6.1 00/13] 6.1.102-rc1 review Peter Schneider
2024-07-25 23:20 ` SeongJae Park
2024-07-26 8:11 ` Pavel Machek
2024-07-26 9:32 ` Ron Economos
2024-07-26 11:36 ` Mark Brown
2024-07-26 16:35 ` Shuah Khan
2024-07-26 17:14 ` Jon Hunter
2024-07-26 17:35 ` Naresh Kamboju
2024-07-26 17:37 ` ChromeOS Kernel Stable Merge
2024-07-26 18:22 ` Florian Fainelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240725142728.200427513@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dave.kleikamp@oracle.com \
--cc=llfamsec@gmail.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.