mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-09 23:00:21 +00:00
jfs: fix xattr value size overflow in __jfs_setxattr
There is a potential overflow if the specified EA value size is greater than USHRT_MAX because the size of value is limited by the on-disk format (i.e, __le16), this issue could be reflected via the tests below: # touch /jfs/testfile # setfattr -n user.comment -v `perl -e 'print "A"x65536'` /jfs/testfile setfattr: /jfs/testfile: Invalid argument Syslog: ... jfs_xsetattr: xattr_size = 21, new_size = 65557 This patch add pre-checkups of EA value size against USHRT_MAX to avoid this problem, and return -E2BIG which is consistent with the VFS setxattr interface. Moreover, fix the debug code to print the correct function name. With this fix: setfattr: /jfs/testfile: Argument list too long Signed-off-by: Jie Liu <jeff.liu@oracle.com> Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
This commit is contained in:
parent
9a0bb2966e
commit
0439e091e3
@ -860,6 +860,19 @@ int __jfs_setxattr(tid_t tid, struct inode *inode, const char *name,
|
||||
/* Completely new ea list */
|
||||
xattr_size = sizeof (struct jfs_ea_list);
|
||||
|
||||
/*
|
||||
* The size of EA value is limitted by on-disk format up to
|
||||
* __le16, there would be an overflow if the size is equal
|
||||
* to XATTR_SIZE_MAX (65536). In order to avoid this issue,
|
||||
* we can pre-checkup the value size against USHRT_MAX, and
|
||||
* return -E2BIG in this case, which is consistent with the
|
||||
* VFS setxattr interface.
|
||||
*/
|
||||
if (value_len >= USHRT_MAX) {
|
||||
rc = -E2BIG;
|
||||
goto release;
|
||||
}
|
||||
|
||||
ea = (struct jfs_ea *) ((char *) ealist + xattr_size);
|
||||
ea->flag = 0;
|
||||
ea->namelen = namelen;
|
||||
@ -874,7 +887,7 @@ int __jfs_setxattr(tid_t tid, struct inode *inode, const char *name,
|
||||
/* DEBUG - If we did this right, these number match */
|
||||
if (xattr_size != new_size) {
|
||||
printk(KERN_ERR
|
||||
"jfs_xsetattr: xattr_size = %d, new_size = %d\n",
|
||||
"__jfs_setxattr: xattr_size = %d, new_size = %d\n",
|
||||
xattr_size, new_size);
|
||||
|
||||
rc = -EINVAL;
|
||||
|
Loading…
x
Reference in New Issue
Block a user