mirrors/linux
2
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-05-16 04:21:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

orangefs: validate getxattr response length

Browse Source 
orangefs_inode_getxattr() trusts the userspace-client-controlled
downcall.resp.getxattr.val_sz and uses it as a memcpy() length
both for the temporary user buffer and the cached xattr buffer.
Reject malformed negative or oversized lengths before copying
response bytes.

Reported-by: Hyungjung Joo <jhj140711@gmail.com>
Signed-off-by: HyungJung Joo <jhj140711@gmail.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
This commit is contained in:
HyungJung Joo
2026-03-13 15:34:44 +09:00
committed by Mike Marshall
parent 415e507cde
commit 092e0d0e96
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
fs/orangefs/xattr.c
View File

@@ -188,6 +188,10 @@ ssize_t orangefs_inode_getxattr(struct inode *inode, const char *name,
* Length returned includes null terminator.
*/
length = new_op->downcall.resp.getxattr.val_sz;
if (length < 0 || length > ORANGEFS_MAX_XATTR_VALUELEN) {
ret = -EIO;
goto out_release_op;
}
/*
* Just return the length of the queried attribute.