• Jann Horn's avatar
    reiserfs: fix broken xattr handling (heap corruption, bad retval) · a13f085d
    Jann Horn authored
    This fixes the following issues:
    
    - When a buffer size is supplied to reiserfs_listxattr() such that each
      individual name fits, but the concatenation of all names doesn't fit,
      reiserfs_listxattr() overflows the supplied buffer.  This leads to a
      kernel heap overflow (verified using KASAN) followed by an out-of-bounds
      usercopy and is therefore a security bug.
    
    - When a buffer size is supplied to reiserfs_listxattr() such that a
      name doesn't fit, -ERANGE should be returned.  But reiserfs instead just
      truncates the list of names; I have verified that if the only xattr on a
      file has a longer name than the supplied buffer length, listxattr()
      incorrectly returns zero.
    
    With my patch applied, -ERANGE is returned in both cases and the memory
    corruption doesn't happen anymore.
    
    Credit for making me clean this code up a bit goes to Al Viro, who pointed
    out that the ->actor calling convention is suboptimal and should be
    changed.
    
    Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
    Fixes: 48b32a35 ("reiserfs: use generic xattr handlers")
    Signed-off-by: default avatarJann Horn <jannh@google.com>
    Acked-by: default avatarJeff Mahoney <jeffm@suse.com>
    Cc: Eric Biggers <ebiggers@google.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    a13f085d
xattr.c 24.2 KB