jfs: fix xattr value size overflow in __jfs_setxattr (0439e091) · Commits · 戴 / test

There is a potential overflow if the specified EA value size is greater than USHRT_MAX because the size of value is limited by the on-disk format (i.e, __le16), this issue could be reflected via the tests below: # touch /jfs/testfile # setfattr -n user.comment -v `perl -e 'print "A"x65536'` /jfs/testfile setfattr: /jfs/testfile: Invalid argument Syslog: ... jfs_xsetattr: xattr_size = 21, new_size = 65557 This patch add pre-checkups of EA value size against USHRT_MAX to avoid this problem, and return -E2BIG which is consistent with the VFS setxattr interface. Moreover, fix the debug code to print the correct function name. With this fix: setfattr: /jfs/testfile: Argument list too long Signed-off-by:

Jie Liu <jeff.liu@oracle.com> Signed-off-by:

Dave Kleikamp <dave.kleikamp@oracle.com>

fs/jfs/xattr.c

+14 −1

Original line number	Diff line number	Diff line
		@@ -860,6 +860,19 @@ int __jfs_setxattr(tid_t tid, struct inode inode, const char name,
		/* Completely new ea list */
		xattr_size = sizeof (struct jfs_ea_list);

		/*
		* The size of EA value is limitted by on-disk format up to
		* __le16, there would be an overflow if the size is equal
		* to XATTR_SIZE_MAX (65536). In order to avoid this issue,
		* we can pre-checkup the value size against USHRT_MAX, and
		* return -E2BIG in this case, which is consistent with the
		* VFS setxattr interface.
		*/
		if (value_len >= USHRT_MAX) {
		rc = -E2BIG;
		goto release;
		}

		ea = (struct jfs_ea ) ((char ) ealist + xattr_size);
		ea->flag = 0;
		ea->namelen = namelen;
		@@ -874,7 +887,7 @@ int __jfs_setxattr(tid_t tid, struct inode inode, const char name,
		/* DEBUG - If we did this right, these number match */
		if (xattr_size != new_size) {
		printk(KERN_ERR
		"jfs_xsetattr: xattr_size = %d, new_size = %d\n",
		"__jfs_setxattr: xattr_size = %d, new_size = %d\n",
		xattr_size, new_size);

		rc = -EINVAL;

Admin message