From patchwork Tue Mar 27 03:38:00 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Biggers <ebiggers3@gmail.com>
X-Patchwork-Id: 891328
Return-Path: <linux-ext4-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=linux-ext4-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="F6d/L7+J"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 409Gvv67NQz9ryr
	for <patchwork-incoming@ozlabs.org>;
	Tue, 27 Mar 2018 14:39:07 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751824AbeC0DjH (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 26 Mar 2018 23:39:07 -0400
Received: from mail-pl0-f65.google.com ([209.85.160.65]:46754 "EHLO
	mail-pl0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751249AbeC0DjG (ORCPT
	<rfc822; linux-ext4@vger.kernel.org>); Mon, 26 Mar 2018 23:39:06 -0400
Received: by mail-pl0-f65.google.com with SMTP id f5-v6so13291438plj.13
	for <linux-ext4@vger.kernel.org>;
	Mon, 26 Mar 2018 20:39:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=mp9YKuDkAuAKZxKrdfX+FRlZAZQ8qZCokk35yUjeQ1M=;
	b=F6d/L7+JU2jtQqUtnM2rU3DBN9/so8qbzFd5e/me9kIy8dHGWN3ERn9P1YP8jGECOz
	T9/Kgn2GsuxEtWW5hYjj69uV4pHc3YtMHMuPUOT0Wi6xkWR6bp88yPpBYDJB7WOZWyER
	v4vZA2rTrlqQ5mo6qh1g24kRXtT2mD9q3F4lcg6yOEUFPRGKocE9J1yqjuV4FGJyKqqh
	rtiNJ8ejAY+M2NKkZEbTnF0ZMalBDxeqmiAmmupqIQ1v/cAPQYfhynOji/ZCwimyf5Zm
	9VeKoMkkw8a3+VEFEuTU64Jq/bCrCeAOU+68vz2pOGq4PbgQjI/MBLX7ofPwYxSCTVJA
	IGew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=mp9YKuDkAuAKZxKrdfX+FRlZAZQ8qZCokk35yUjeQ1M=;
	b=GPd/hKv7quwgEVEaePhfZEMnpazdsq55eM5WLL1ZIdlQjDvssOt31pqnvI7YDz9V3E
	S1Ewet6cThk0jfnW9h//43yt9FHmJllqvaci+Lf3jq8ZGn/r6VeCKSMUq1a+J+VX1nzP
	EJGj7U6Tc1HaDXtXk4QWHrvfCcCZeodC5Xx5dsHIeRPvsiagPibbRlhsflE6/koz5xZ3
	aQdX0oQJnrdtpSkE7EFAWK6iJTJCHSA7x2lKCJ6iKzSXFepOXAcL80ZODv/Zfzmw0dQE
	vaFRD3wYNz2efSjpKIhrG1z+SlQyEuTRe9DrNUEW5bsYHvRkpCD9EeZgO8EsLOXNvoqn
	uV2g==
X-Gm-Message-State: AElRT7EpaFNDjpSV48MK8scQqnYoJ85Q2/4d9TZlvapphSF584qpFXSk
	ZJj+hvu9sM2/G3xG75/Sm+0y51BC
X-Google-Smtp-Source: 
 AG47ELtkdSKnnes3JtFfszblLmkOkgoDwlejs6w9+zeZdn9W49si0bzf2mxcmmSzEaIV2dKC52bWDg==
X-Received: by 2002:a17:902:d807:: with SMTP id
	a7-v6mr43403770plz.218.1522121945478;
	Mon, 26 Mar 2018 20:39:05 -0700 (PDT)
Received: from sol.localdomain (c-67-185-97-198.hsd1.wa.comcast.net.
	[67.185.97.198]) by smtp.gmail.com with ESMTPSA id
	i127sm336865pgc.12.2018.03.26.20.39.04
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 26 Mar 2018 20:39:04 -0700 (PDT)
From: Eric Biggers <ebiggers3@gmail.com>
To: linux-ext4@vger.kernel.org, Theodore Ts'o <tytso@mit.edu>
Cc: Andreas Dilger <adilger.kernel@dilger.ca>,
	Wen Xu <wen.xu@gatech.edu>, Eric Biggers <ebiggers@google.com>
Subject: [PATCH] ext4: limit external inode xattrs to XATTR_SIZE_MAX
Date: Mon, 26 Mar 2018 20:38:00 -0700
Message-Id: <20180327033800.3081-1-ebiggers3@gmail.com>
X-Mailer: git-send-email 2.16.2
Sender: linux-ext4-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-ext4.vger.kernel.org>
X-Mailing-List: linux-ext4@vger.kernel.org

From: Eric Biggers <ebiggers@google.com>

This is a replacement for the broken patch "ext4: add better range
checking for e_value_size in xattrs" currently in ext4/dev.

-----8<-----

ext4 isn't validating the sizes of xattrs that are stored in external
inodes.  This is problematic because ->e_value_size is a u32, but
ext4_xattr_get() returns an int.  A very large size is misinterpreted as
an error code, which ext4_get_acl() translates into a bogus ERR_PTR()
for which IS_ERR() returns false, causing a crash.

Fix this by validating that all xattrs are <= XATTR_SIZE_MAX bytes.
(It's not strictly needed for non-EA-inode xattrs, but it doesn't hurt.)

https://bugzilla.kernel.org/show_bug.cgi?id=199185

Reported-by: Wen Xu <wen.xu@gatech.edu>
Fixes: e50e5129f384 ("ext4: xattr-in-inode support")
Cc: <stable@vger.kernel.org> # v4.13+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
 fs/ext4/xattr.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 63656dbafdc45..8c9ade64aea2a 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -195,10 +195,13 @@ ext4_xattr_check_entries(struct ext4_xattr_entry *entry, void *end,
 
 	/* Check the values */
 	while (!IS_LAST_ENTRY(entry)) {
-		if (entry->e_value_size != 0 &&
-		    entry->e_value_inum == 0) {
+		u32 size = le32_to_cpu(entry->e_value_size);
+
+		if (size > XATTR_SIZE_MAX)
+			return -EFSCORRUPTED;
+
+		if (size != 0 && entry->e_value_inum == 0) {
 			u16 offs = le16_to_cpu(entry->e_value_offs);
-			u32 size = le32_to_cpu(entry->e_value_size);
 			void *value;
 
 			/*