[PATCH 1/3] ubifs: check the remaining name buffer during xattr list
Hou Tao
houtao1 at huawei.com
Tue Jun 30 09:04:36 EDT 2020
When there are concurrent xattr list and xattr write operations,
it is possible xattr_names + xattr_cnt has been increased a lot
by xattr write op since its last read in the begin of ubifs_listxattr().
So ubifs_listxattr() may find these newly updated or added xattrs,
try to copy these xattr names regardless of the remaing buffer size,
and lead to the corruption of buffer and assertion failure.
Simply fixing it by checking the remaining size of name buffer
before copying the xattr name.
Signed-off-by: Hou Tao <houtao1 at huawei.com>
---
fs/ubifs/xattr.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c
index 9aefbb60074f..5591b9fa1d86 100644
--- a/fs/ubifs/xattr.c
+++ b/fs/ubifs/xattr.c
@@ -429,6 +429,12 @@ ssize_t ubifs_listxattr(struct dentry *dentry, char *buffer, size_t size)
fname_len(&nm) = le16_to_cpu(xent->nlen);
if (xattr_visible(xent->name)) {
+ if (size - written < fname_len(&nm) + 1) {
+ kfree(pxent);
+ kfree(xent);
+ return -ERANGE;
+ }
+
memcpy(buffer + written, fname_name(&nm), fname_len(&nm) + 1);
written += fname_len(&nm) + 1;
}
--
2.25.0.4.g0ad7144999
More information about the linux-mtd
mailing list