From: Eric Biggers ebiggers@google.com
mainline inclusion from mainline-v6.8-rc1 commit e26b6d39270f5eab0087453d9b544189a38c8564 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I92HXW CVE: CVE-2023-52436
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
When setting an xattr, explicitly null-terminate the xattr list. This eliminates the fragile assumption that the unused xattr space is always zeroed.
Signed-off-by: Eric Biggers ebiggers@google.com Reviewed-by: Chao Yu chao@kernel.org Signed-off-by: Jaegeuk Kim jaegeuk@kernel.org Signed-off-by: Zizhi Wo wozizhi@huawei.com --- fs/f2fs/xattr.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c index 465d145360de..e197657db36b 100644 --- a/fs/f2fs/xattr.c +++ b/fs/f2fs/xattr.c @@ -754,6 +754,12 @@ static int __f2fs_setxattr(struct inode *inode, int index, memcpy(pval, value, size); last->e_value_size = cpu_to_le16(size); new_hsize += newsize; + /* + * Explicitly add the null terminator. The unused xattr space + * is supposed to always be zeroed, which would make this + * unnecessary, but don't depend on that. + */ + *(u32 *)((u8 *)last + newsize) = 0; }
error = write_all_xattrs(inode, new_hsize, base_addr, ipage);
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/4636 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/2...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/4636 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/2...