forked from Minki/linux
ext4: limit xattr size to INT_MAX
ext4 isn't validating the sizes of xattrs where the value of the xattr
is stored in an external inode. This is problematic because
->e_value_size is a u32, but ext4_xattr_get() returns an int. A very
large size is misinterpreted as an error code, which ext4_get_acl()
translates into a bogus ERR_PTR() for which IS_ERR() returns false,
causing a crash.
Fix this by validating that all xattrs are <= INT_MAX bytes.
This issue has been assigned CVE-2018-1095.
https://bugzilla.kernel.org/show_bug.cgi?id=199185
https://bugzilla.redhat.com/show_bug.cgi?id=1560793
Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
Fixes: e50e5129f3
("ext4: xattr-in-inode support")
This commit is contained in:
parent
7dac4a1726
commit
ce3fd194fc
@ -195,10 +195,13 @@ ext4_xattr_check_entries(struct ext4_xattr_entry *entry, void *end,
|
||||
|
||||
/* Check the values */
|
||||
while (!IS_LAST_ENTRY(entry)) {
|
||||
if (entry->e_value_size != 0 &&
|
||||
entry->e_value_inum == 0) {
|
||||
u32 size = le32_to_cpu(entry->e_value_size);
|
||||
|
||||
if (size > INT_MAX)
|
||||
return -EFSCORRUPTED;
|
||||
|
||||
if (size != 0 && entry->e_value_inum == 0) {
|
||||
u16 offs = le16_to_cpu(entry->e_value_offs);
|
||||
u32 size = le32_to_cpu(entry->e_value_size);
|
||||
void *value;
|
||||
|
||||
/*
|
||||
|
Loading…
Reference in New Issue
Block a user