From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: David Disseldorp <ddiss@suse.de>, "Yan, Zheng" <zyan@redhat.com>,
Ilya Dryomov <idryomov@gmail.com>,
Sasha Levin <sashal@kernel.org>,
ceph-devel@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 18/47] ceph: fix listxattr vxattr buffer length calculation
Date: Fri, 26 Jul 2019 09:41:41 -0400 [thread overview]
Message-ID: <20190726134210.12156-18-sashal@kernel.org> (raw)
In-Reply-To: <20190726134210.12156-1-sashal@kernel.org>
From: David Disseldorp <ddiss@suse.de>
[ Upstream commit 2b2abcac8c251d1c77a4cc9d9f248daefae0fb4e ]
ceph_listxattr() incorrectly returns a length based on the static
ceph_vxattrs_name_size() value, which only takes into account whether
vxattrs are hidden, ignoring vxattr.exists_cb().
When filling the xattr buffer ceph_listxattr() checks VXATTR_FLAG_HIDDEN
and vxattr.exists_cb(). If both are false, we return an incorrect
(oversize) length.
Fix this behaviour by always calculating the vxattrs length at runtime,
taking both vxattr.hidden and vxattr.exists_cb() into account.
This bug is only exposed with the new "ceph.snap.btime" vxattr, as all
other vxattrs with a non-null exists_cb also carry VXATTR_FLAG_HIDDEN.
Signed-off-by: David Disseldorp <ddiss@suse.de>
Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ceph/xattr.c | 54 +++++++++++++++++++++++++++----------------------
1 file changed, 30 insertions(+), 24 deletions(-)
diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
index 5cc8b94f8206..996ee87b1eaf 100644
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -879,10 +879,9 @@ ssize_t ceph_listxattr(struct dentry *dentry, char *names, size_t size)
struct inode *inode = d_inode(dentry);
struct ceph_inode_info *ci = ceph_inode(inode);
struct ceph_vxattr *vxattrs = ceph_inode_vxattrs(inode);
- u32 vir_namelen = 0;
+ bool len_only = (size == 0);
u32 namelen;
int err;
- u32 len;
int i;
spin_lock(&ci->i_ceph_lock);
@@ -901,38 +900,45 @@ ssize_t ceph_listxattr(struct dentry *dentry, char *names, size_t size)
err = __build_xattrs(inode);
if (err < 0)
goto out;
- /*
- * Start with virtual dir xattr names (if any) (including
- * terminating '\0' characters for each).
- */
- vir_namelen = ceph_vxattrs_name_size(vxattrs);
- /* adding 1 byte per each variable due to the null termination */
+ /* add 1 byte for each xattr due to the null termination */
namelen = ci->i_xattrs.names_size + ci->i_xattrs.count;
- err = -ERANGE;
- if (size && vir_namelen + namelen > size)
- goto out;
-
- err = namelen + vir_namelen;
- if (size == 0)
- goto out;
+ if (!len_only) {
+ if (namelen > size) {
+ err = -ERANGE;
+ goto out;
+ }
+ names = __copy_xattr_names(ci, names);
+ size -= namelen;
+ }
- names = __copy_xattr_names(ci, names);
/* virtual xattr names, too */
- err = namelen;
if (vxattrs) {
for (i = 0; vxattrs[i].name; i++) {
- if (!(vxattrs[i].flags & VXATTR_FLAG_HIDDEN) &&
- !(vxattrs[i].exists_cb &&
- !vxattrs[i].exists_cb(ci))) {
- len = sprintf(names, "%s", vxattrs[i].name);
- names += len + 1;
- err += len + 1;
+ size_t this_len;
+
+ if (vxattrs[i].flags & VXATTR_FLAG_HIDDEN)
+ continue;
+ if (vxattrs[i].exists_cb && !vxattrs[i].exists_cb(ci))
+ continue;
+
+ this_len = strlen(vxattrs[i].name) + 1;
+ namelen += this_len;
+ if (len_only)
+ continue;
+
+ if (this_len > size) {
+ err = -ERANGE;
+ goto out;
}
+
+ memcpy(names, vxattrs[i].name, this_len);
+ names += this_len;
+ size -= this_len;
}
}
-
+ err = namelen;
out:
spin_unlock(&ci->i_ceph_lock);
return err;
--
2.20.1
next prev parent reply other threads:[~2019-07-26 13:54 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-26 13:41 [PATCH AUTOSEL 4.19 01/47] ARM: riscpc: fix DMA Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 02/47] ARM: dts: rockchip: Make rk3288-veyron-minnie run at hs200 Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 03/47] ARM: dts: rockchip: Make rk3288-veyron-mickey's emmc work again Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 04/47] ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 05/47] ftrace: Enable trampoline when rec count returns back to one Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 06/47] dmaengine: tegra-apb: Error out if DMA_PREP_INTERRUPT flag is unset Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 07/47] arm64: dts: rockchip: fix isp iommu clocks and power domain Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 08/47] kernel/module.c: Only return -EEXIST for modules that have finished loading Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 09/47] firmware/psci: psci_checker: Park kthreads before stopping them Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 10/47] MIPS: lantiq: Fix bitfield masking Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 11/47] dmaengine: rcar-dmac: Reject zero-length slave DMA requests Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 12/47] clk: tegra210: fix PLLU and PLLU_OUT1 Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 13/47] fs/adfs: super: fix use-after-free bug Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 14/47] clk: sprd: Add check for return value of sprd_clk_regmap_init() Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 15/47] btrfs: fix minimum number of chunk errors for DUP Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 16/47] btrfs: qgroup: Don't hold qgroup_ioctl_lock in btrfs_qgroup_inherit() Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 17/47] cifs: Fix a race condition with cifs_echo_request Sasha Levin
2019-07-26 13:41 ` Sasha Levin [this message]
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 19/47] ceph: fix improper use of smp_mb__before_atomic() Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 20/47] ceph: return -ERANGE if virtual xattr value didn't fit in buffer Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 21/47] ACPI: blacklist: fix clang warning for unused DMI table Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 22/47] scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 23/47] perf version: Fix segfault due to missing OPT_END() Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 24/47] x86: kvm: avoid constant-conversion warning Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 25/47] ACPI: fix false-positive -Wuninitialized warning Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 26/47] ISDN: hfcsusb: checking idx of ep configuration Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 27/47] be2net: Signal that the device cannot transmit during reconfiguration Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 28/47] x86/apic: Silence -Wtype-limits compiler warnings Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 29/47] x86: math-emu: Hide clang warnings for 16-bit overflow Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 30/47] mm/cma.c: fail if fixed declaration can't be honored Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 31/47] lib/test_overflow.c: avoid tainting the kernel and fix wrap size Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 32/47] lib/test_string.c: avoid masking memset16/32/64 failures Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 33/47] coda: add error handling for fget Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 34/47] coda: fix build using bare-metal toolchain Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 35/47] uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers Sasha Levin
2019-07-26 13:41 ` [PATCH AUTOSEL 4.19 36/47] drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.19 37/47] drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.19 38/47] ipc/mqueue.c: only perform resource calculation if user valid Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.19 39/47] floppy: fix div-by-zero in setup_format_params Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.19 40/47] floppy: fix out-of-bounds read in copy_buffer Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.19 41/47] mlxsw: spectrum_dcb: Configure DSCP map as the last rule is removed Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.19 42/47] xen: let alloc_xenballooned_pages() fail if not enough memory free Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.19 43/47] xen/pv: Fix a boot up hang revealed by int3 self test Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.19 44/47] x86/kvm: Don't call kvm_spurious_fault() from .fixup Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.19 45/47] x86/paravirt: Fix callee-saved function ELF sizes Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.19 46/47] x86, boot: Remove multiple copy of static function sanitize_boot_params() Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.19 47/47] drm/nouveau: fix memory leak in nouveau_conn_reset() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190726134210.12156-18-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ceph-devel@vger.kernel.org \
--cc=ddiss@suse.de \
--cc=idryomov@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=zyan@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox