From 092e0d0e964279feb9f43f81e8d1c52ef080d085 Mon Sep 17 00:00:00 2001
From: HyungJung Joo <jhj140711@gmail.com>
Date: Fri, 13 Mar 2026 15:34:44 +0900
Subject: [PATCH] orangefs: validate getxattr response length

orangefs_inode_getxattr() trusts the userspace-client-controlled
downcall.resp.getxattr.val_sz and uses it as a memcpy() length
both for the temporary user buffer and the cached xattr buffer.
Reject malformed negative or oversized lengths before copying
response bytes.

Reported-by: Hyungjung Joo <jhj140711@gmail.com>
Signed-off-by: HyungJung Joo <jhj140711@gmail.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
---
 fs/orangefs/xattr.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/orangefs/xattr.c b/fs/orangefs/xattr.c
index 1b372189cd10..b6d116302de4 100644
--- a/fs/orangefs/xattr.c
+++ b/fs/orangefs/xattr.c
@@ -188,6 +188,10 @@ ssize_t orangefs_inode_getxattr(struct inode *inode, const char *name,
 	 * Length returned includes null terminator.
 	 */
 	length = new_op->downcall.resp.getxattr.val_sz;
+	if (length < 0 || length > ORANGEFS_MAX_XATTR_VALUELEN) {
+		ret = -EIO;
+		goto out_release_op;
+	}
 
 	/*
 	 * Just return the length of the queried attribute.