| From 7d95178c77014dbd8dce36ee40bbbc5e6c121ff5 Mon Sep 17 00:00:00 2001 |
| From: Theodore Ts'o <tytso@mit.edu> |
| Date: Wed, 1 Aug 2018 12:36:52 -0400 |
| Subject: ext4: check for NUL characters in extended attribute's name |
| |
| From: Theodore Ts'o <tytso@mit.edu> |
| |
| commit 7d95178c77014dbd8dce36ee40bbbc5e6c121ff5 upstream. |
| |
| Extended attribute names are defined to be NUL-terminated, so the name |
| must not contain a NUL character. This is important because there are |
| places when remove extended attribute, the code uses strlen to |
| determine the length of the entry. That should probably be fixed at |
| some point, but code is currently really messy, so the simplest fix |
| for now is to simply validate that the extended attributes are sane. |
| |
| https://bugzilla.kernel.org/show_bug.cgi?id=200401 |
| |
| Reported-by: Wen Xu <wen.xu@gatech.edu> |
| Signed-off-by: Theodore Ts'o <tytso@mit.edu> |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/ext4/xattr.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/fs/ext4/xattr.c |
| +++ b/fs/ext4/xattr.c |
| @@ -189,6 +189,8 @@ ext4_xattr_check_entries(struct ext4_xat |
| struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(e); |
| if ((void *)next >= end) |
| return -EFSCORRUPTED; |
| + if (strnlen(e->e_name, e->e_name_len) != e->e_name_len) |
| + return -EFSCORRUPTED; |
| e = next; |
| } |
| |