From: Alan Huang <mmpgouride@gmail.com>
To: kent.overstreet@linux.dev, kees@kernel.org,
gustavoars@kernel.org, thorsten.blum@toblux.com
Cc: linux-bcachefs@vger.kernel.org, linux-hardening@vger.kernel.org,
Alan Huang <mmpgouride@gmail.com>
Subject: [PATCH] Revert "bcachefs: Annotate struct bch_xattr with __counted_by()"
Date: Fri, 2 May 2025 02:41:50 +0800 [thread overview]
Message-ID: <20250501184150.200319-1-mmpgouride@gmail.com> (raw)
This reverts commit 86e92eeeb23741a072fe7532db663250ff2e726a.
After the x_name, there is a value. According to the disscussion[1],
__counted_by assumes that the flexible array member contains exactly
the amount of elements that are specified. Now there are users came across
buffer overflow caused by the __counted_by here[2], so revert that.
[1] https://lore.kernel.org/lkml/Zv8VDKWN1GzLRT-_@archlinux/T/#m0ce9541c5070146320efd4f928cc1ff8de69e9b2
[2] https://privatebin.net/?a0d4e97d590d71e1#9bLmp2Kb5NU6X6cZEucchDcu88HzUQwHUah8okKPReEt
Signed-off-by: Alan Huang <mmpgouride@gmail.com>
---
fs/bcachefs/xattr_format.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/bcachefs/xattr_format.h b/fs/bcachefs/xattr_format.h
index c7916011ef34..e9f810539552 100644
--- a/fs/bcachefs/xattr_format.h
+++ b/fs/bcachefs/xattr_format.h
@@ -13,7 +13,7 @@ struct bch_xattr {
__u8 x_type;
__u8 x_name_len;
__le16 x_val_len;
- __u8 x_name[] __counted_by(x_name_len);
+ __u8 x_name[];
} __packed __aligned(8);
#endif /* _BCACHEFS_XATTR_FORMAT_H */
--
2.48.1
next reply other threads:[~2025-05-01 18:41 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-01 18:41 Alan Huang [this message]
2025-05-01 19:09 ` [PATCH] Revert "bcachefs: Annotate struct bch_xattr with __counted_by()" Jan Hendrik Farr
2025-05-01 19:16 ` Kent Overstreet
2025-05-01 19:22 ` Jan Hendrik Farr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250501184150.200319-1-mmpgouride@gmail.com \
--to=mmpgouride@gmail.com \
--cc=gustavoars@kernel.org \
--cc=kees@kernel.org \
--cc=kent.overstreet@linux.dev \
--cc=linux-bcachefs@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=thorsten.blum@toblux.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.