Commit 5990fd75 authored by Darrick J. Wong's avatar Darrick J. Wong Committed by Carlos Maiolino
Browse files

xfs: fix a UAF problem in xattr repair 



The xchk_setup_xattr_buf function can allocate a new value buffer, which
means that any reference to ab->value before the call could become a
dangling pointer.  Fix this by moving an assignment to after the buffer
setup.

Cc: stable@vger.kernel.org # v6.10
Fixes: e47dcf11 ("xfs: repair extended attributes")
Signed-off-by: default avatarDarrick J. Wong <djwong@kernel.org>
Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
Signed-off-by: default avatarCarlos Maiolino <cem@kernel.org>
parent 2145f447

fs/xfs/scrub/attr_repair.c

+1 −1
Original line number Diff line number Diff line
@@ -333,7 +333,6 @@ xrep_xattr_salvage_remote_attr( 
		.attr_filter		= ent->flags & XFS_ATTR_NSP_ONDISK_MASK,

		.namelen		= rentry->namelen,

		.name			= rentry->name,

		.value			= ab->value,

		.valuelen		= be32_to_cpu(rentry->valuelen),

	};

	unsigned int			namesize;
@@ -363,6 +362,7 @@ xrep_xattr_salvage_remote_attr( 
		error = -EDEADLOCK;

	if (error)

		return error;

	args.value = ab->value;



	/* Look up the remote value and stash it for reconstruction. */

	error = xfs_attr3_leaf_getvalue(leaf_bp, &args);