Commit 7c55b788 authored May 14, 2024 by Greg Kroah-Hartman

jfs: xattr: fix buffer overflow for invalid xattr



When an xattr size is not what is expected, it is printed out to the
kernel log in hex format as a form of debugging.  But when that xattr
size is bigger than the expected size, printing it out can cause an
access off the end of the buffer.

Fix this all up by properly restricting the size of the debug hex dump
in the kernel log.

Reported-by:  <syzbot+9dfe490c8176301c1d06@syzkaller.appspotmail.com>
Cc: Dave Kleikamp <shaggy@kernel.org>
Link: https://lore.kernel.org/r/2024051433-slider-cloning-98f9@gregkh


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 77427e3d

fs/jfs/xattr.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -557,9 +557,11 @@ static int ea_get(struct inode inode, struct ea_buffer ea_buf, int min_size)

		size_check:
		if (EALIST_SIZE(ea_buf->xattr) != ea_size) {
		int size = min_t(int, EALIST_SIZE(ea_buf->xattr), ea_size);

		printk(KERN_ERR "ea_get: invalid extended attribute\n");
		print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1,
		ea_buf->xattr, ea_size, 1);
		ea_buf->xattr, size, 1);
		ea_release(inode, ea_buf);
		rc = -EIO;
		goto clean_up;