• Jann Horn's avatar
    reiserfs: fix broken xattr handling (heap corruption, bad retval) · a13f085d
    Jann Horn authored
    This fixes the following issues:
    
    - When a buffer size is supplied to reiserfs_listxattr() such that each
      individual name fits, but the concatenation of all names doesn't fit,
      reiserfs_listxattr() overflows the supplied buffer.  This leads to a
      kernel heap overflow (verified using KASAN) followed by an out-of-bounds
      usercopy and is therefore a security bug.
    
    - When a buffer size is supplied to reiserfs_listxattr() such that a
      name doesn't fit, -ERANGE should be returned.  But reiserfs instead just
      truncates the list of names; I have verified that if the only xattr on a
      file has a longer name than the supplied buffer length, listxattr()
      incorrectly returns zero.
    
    With my patch applied, -ERANGE is returned in both cases and the memory
    corruption doesn't happen anymore.
    
    Credit for making me clean this code up a bit goes to Al Viro, who pointed
    out that the ->actor calling convention is suboptimal and should be
    changed.
    
    Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
    Fixes: 48b32a35 ("reiserfs: use generic xattr handlers")
    Signed-off-by: 's avatarJann Horn <jannh@google.com>
    Acked-by: 's avatarJeff Mahoney <jeffm@suse.com>
    Cc: Eric Biggers <ebiggers@google.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: 's avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: 's avatarLinus Torvalds <torvalds@linux-foundation.org>
    a13f085d
Name
Last commit
Last update
Documentation Loading commit data...
LICENSES Loading commit data...
arch Loading commit data...
block Loading commit data...
certs Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt Loading commit data...
.clang-format Loading commit data...
.cocciconfig Loading commit data...
.get_maintainer.ignore Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...