Commit 1d57bdeb authored by Chengguang Xu's avatar Chengguang Xu Committed by Yang Yingliang
Browse files

ext2: introduce helper for xattr entry validation 



mainline inclusion
from mainline-5.3-rc1
commit f4c3fb8c
category: bugfix
bugzilla: 174001
CVE: NA

-------------------------------------------------

Introduce helper function ext2_xattr_entry_valid()
for xattr entry validation and clean up the entry
check related code.

Reviewed-by: default avatarAndreas Dilger <adilger@dilger.ca>
Signed-off-by: default avatarChengguang Xu <cgxu519@zoho.com.cn>
Signed-off-by: default avatarJan Kara <jack@suse.cz>

Conflicts:
	fs/ext2/xattr.c

Signed-off-by: default avatarBaokun Li <libaokun1@huawei.com>
Reviewed-by: default avatarZhang Yi <yi.zhang@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parent aaf0fba1

fs/ext2/xattr.c

+21 −11
Original line number Diff line number Diff line
@@ -134,6 +134,22 @@ ext2_xattr_handler(int name_index) 
	return handler;

}



static bool

ext2_xattr_entry_valid(struct ext2_xattr_entry *entry, size_t end_offs)

{

	size_t size;



	if (entry->e_value_block != 0)

		return false;



	size = le32_to_cpu(entry->e_value_size);

	if (size > end_offs ||

	    le16_to_cpu(entry->e_value_offs) + size > end_offs)

		return false;



	return true;

}



/*

 * ext2_xattr_get()

 *
@@ -203,14 +219,10 @@ bad_block: ext2_error(inode->i_sb, "ext2_xattr_get", 
	error = -ENODATA;

	goto cleanup;

found:

	/* check the buffer size */

	if (entry->e_value_block != 0)

		goto bad_block;

	size = le32_to_cpu(entry->e_value_size);

	if (size > inode->i_sb->s_blocksize ||

	    le16_to_cpu(entry->e_value_offs) + size > inode->i_sb->s_blocksize)

	if (!ext2_xattr_entry_valid(entry, inode->i_sb->s_blocksize))

		goto bad_block;



	size = le32_to_cpu(entry->e_value_size);

	if (ext2_xattr_cache_insert(ea_block_cache, bh))

		ea_idebug(inode, "cache insert failed");

	if (buffer) {
@@ -470,12 +482,10 @@ bad_block: ext2_error(sb, "ext2_xattr_set", 
		if (flags & XATTR_CREATE)

			goto cleanup;

		if (!here->e_value_block && here->e_value_size) {

			size_t size = le32_to_cpu(here->e_value_size);



			if (le16_to_cpu(here->e_value_offs) + size > 

			    sb->s_blocksize || size > sb->s_blocksize)

			if (!ext2_xattr_entry_valid(here, sb->s_blocksize))

				goto bad_block;

			free += EXT2_XATTR_SIZE(size);

			free += EXT2_XATTR_SIZE(

					le32_to_cpu(here->e_value_size));

		}

		free += EXT2_XATTR_LEN(name_len);

	}