mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
* [PATCH] xfs: reject remote xattr entries with an out-of-range value length
@ 2026-07-07 14:01 Aldo Ariel Panzardo
  2026-07-07 16:36 ` Darrick J. Wong
  2026-07-07 19:00 ` [PATCH v2 0/2] xfs: fix out-of-range remote xattr " Aldo Ariel Panzardo
  0 siblings, 2 replies; 5+ messages in thread
From: Aldo Ariel Panzardo @ 2026-07-07 14:01 UTC (permalink / raw)
  To: linux-xfs, Carlos Maiolino
  Cc: Darrick J . Wong, linux-kernel, Aldo Ariel Panzardo

xfs_attr3_leaf_verify_entry() validates a remote attribute entry's name
but never bounds its on-disk value length (xfs_attr_leaf_name_remote.
valuelen, a __be32). A crafted leaf with valuelen = 0x80000000 passes
the verifier and the CRC.

That length is later assigned into the signed int args->rmtvaluelen
(xfs_attr3_leaf_getvalue), becoming negative, which slips past the signed
-ERANGE check in xfs_attr_copy_value(); a getxattr() with a small buffer
then memcpy()s a full remote block into the small kvalue buffer
(xfs_attr_rmtval_copyout) -- a heap out-of-bounds write with
attacker-controlled content, from an unprivileged getxattr(2) on a
mounted crafted image.

Reject remote entries whose value length exceeds XFS_XATTR_SIZE_MAX in
the leaf verifier, so the malicious block is rejected at read time.

Fixes: c84760659dcf ("xfs: check attribute leaf block structure")
Signed-off-by: Aldo Ariel Panzardo <qwe.aldo@gmail.com>
---
 fs/xfs/libxfs/xfs_attr_leaf.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
index 86c5c09a5db4..f1769289f908 100644
--- a/fs/xfs/libxfs/xfs_attr_leaf.c
+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
@@ -339,6 +339,8 @@ xfs_attr3_leaf_verify_entry(
 		if (!(ent->flags & XFS_ATTR_INCOMPLETE) &&
 		    rentry->valueblk == 0)
 			return __this_address;
+		if (be32_to_cpu(rentry->valuelen) > XFS_XATTR_SIZE_MAX)
+			return __this_address;
 	}
 
 	if (name_end > buf_end)
-- 
2.43.0


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] xfs: reject remote xattr entries with an out-of-range value length
  2026-07-07 14:01 [PATCH] xfs: reject remote xattr entries with an out-of-range value length Aldo Ariel Panzardo
@ 2026-07-07 16:36 ` Darrick J. Wong
  2026-07-07 19:00 ` [PATCH v2 0/2] xfs: fix out-of-range remote xattr " Aldo Ariel Panzardo
  1 sibling, 0 replies; 5+ messages in thread
From: Darrick J. Wong @ 2026-07-07 16:36 UTC (permalink / raw)
  To: Aldo Ariel Panzardo; +Cc: linux-xfs, Carlos Maiolino, linux-kernel

On Tue, Jul 07, 2026 at 11:01:18AM -0300, Aldo Ariel Panzardo wrote:
> xfs_attr3_leaf_verify_entry() validates a remote attribute entry's name
> but never bounds its on-disk value length (xfs_attr_leaf_name_remote.
> valuelen, a __be32). A crafted leaf with valuelen = 0x80000000 passes
> the verifier and the CRC.
> 
> That length is later assigned into the signed int args->rmtvaluelen
> (xfs_attr3_leaf_getvalue), becoming negative, which slips past the signed
> -ERANGE check in xfs_attr_copy_value(); a getxattr() with a small buffer

Shouldn't you fix the signed value check in xfs_attr_copy_value, then?

> then memcpy()s a full remote block into the small kvalue buffer
> (xfs_attr_rmtval_copyout) -- a heap out-of-bounds write with
> attacker-controlled content, from an unprivileged getxattr(2) on a
> mounted crafted image.
> 
> Reject remote entries whose value length exceeds XFS_XATTR_SIZE_MAX in
> the leaf verifier, so the malicious block is rejected at read time.
> 
> Fixes: c84760659dcf ("xfs: check attribute leaf block structure")
> Signed-off-by: Aldo Ariel Panzardo <qwe.aldo@gmail.com>

This ought to cc stable.

> ---
>  fs/xfs/libxfs/xfs_attr_leaf.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
> index 86c5c09a5db4..f1769289f908 100644
> --- a/fs/xfs/libxfs/xfs_attr_leaf.c
> +++ b/fs/xfs/libxfs/xfs_attr_leaf.c
> @@ -339,6 +339,8 @@ xfs_attr3_leaf_verify_entry(
>  		if (!(ent->flags & XFS_ATTR_INCOMPLETE) &&
>  		    rentry->valueblk == 0)
>  			return __this_address;
> +		if (be32_to_cpu(rentry->valuelen) > XFS_XATTR_SIZE_MAX)
> +			return __this_address;

This looks correct though.

--D

>  	}
>  
>  	if (name_end > buf_end)
> -- 
> 2.43.0
> 
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v2 0/2] xfs: fix out-of-range remote xattr value length
  2026-07-07 14:01 [PATCH] xfs: reject remote xattr entries with an out-of-range value length Aldo Ariel Panzardo
  2026-07-07 16:36 ` Darrick J. Wong
@ 2026-07-07 19:00 ` Aldo Ariel Panzardo
  2026-07-07 19:00   ` [PATCH v2 1/2] xfs: reject out-of-range attribute value lengths in xfs_attr_copy_value Aldo Ariel Panzardo
  2026-07-07 19:00   ` [PATCH v2 2/2] xfs: reject remote xattr entries with an out-of-range value length Aldo Ariel Panzardo
  1 sibling, 2 replies; 5+ messages in thread
From: Aldo Ariel Panzardo @ 2026-07-07 19:00 UTC (permalink / raw)
  To: linux-xfs, Carlos Maiolino
  Cc: Darrick J . Wong, linux-kernel, Aldo Ariel Panzardo

v1 tightened only the read-time leaf verifier.  Darrick pointed out that
the underlying problem is the signed value-length check in the consumer,
xfs_attr_copy_value(): a remote value length is an on-disk __be32 that is
stored into the signed args->rmtvaluelen, so a crafted length such as
0x80000000 becomes negative and slips past the "buffer too small"
-ERANGE guard, and is then used as a copy length.

v2 fixes both ends:

  1/2 rejects a negative or oversized value length in
      xfs_attr_copy_value() before it is used, so a bogus length cannot
      become a copy length even if it reaches the value copier.
  2/2 is the v1 verifier fix, rejecting the malformed remote entry at
      read time.

Both are bug fixes and are now cc'd to stable.

v2:
  - 1/2 is new: fix the signed value-length check in xfs_attr_copy_value
    (the consumer / root cause), per Darrick's review.
  - 2/2: cc stable; otherwise unchanged from the v1 verifier patch.

v1: https://lore.kernel.org/linux-xfs/20260707140118.3217585-1-qwe.aldo@gmail.com/

Aldo Ariel Panzardo (2):
  xfs: reject out-of-range attribute value lengths in
    xfs_attr_copy_value
  xfs: reject remote xattr entries with an out-of-range value length

 fs/xfs/libxfs/xfs_attr_leaf.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

-- 
2.53.0


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v2 1/2] xfs: reject out-of-range attribute value lengths in xfs_attr_copy_value
  2026-07-07 19:00 ` [PATCH v2 0/2] xfs: fix out-of-range remote xattr " Aldo Ariel Panzardo
@ 2026-07-07 19:00   ` Aldo Ariel Panzardo
  2026-07-07 19:00   ` [PATCH v2 2/2] xfs: reject remote xattr entries with an out-of-range value length Aldo Ariel Panzardo
  1 sibling, 0 replies; 5+ messages in thread
From: Aldo Ariel Panzardo @ 2026-07-07 19:00 UTC (permalink / raw)
  To: linux-xfs, Carlos Maiolino
  Cc: Darrick J . Wong, linux-kernel, Aldo Ariel Panzardo, stable

xfs_attr_copy_value() takes the value length as a signed int and, for a
remote xattr, is handed args->rmtvaluelen.  That field is filled from the
on-disk __be32 xfs_attr_leaf_name_remote.valuelen in
xfs_attr3_leaf_getvalue(), so a crafted length such as 0x80000000 is
stored into the signed rmtvaluelen as a negative number.

The "buffer too small" guard in xfs_attr_copy_value() is a signed
comparison:

	if (args->valuelen < valuelen)
		return -ERANGE;

A negative valuelen therefore compares as smaller than the caller's
buffer size, skips the -ERANGE path, and is then used as a copy length,
leading to an out-of-bounds copy of a full remote block into a small
getxattr(2) buffer on a mounted crafted image.

Reject a value length that is negative or larger than the maximum xattr
size before it is used, so a bogus on-disk length can no longer slip
through the value copier.

Fixes: 9df243a1a9e6 ("xfs: consolidate attribute value copying")
Cc: <stable@vger.kernel.org>
Signed-off-by: Aldo Ariel Panzardo <qwe.aldo@gmail.com>
---
v2: new patch (see the 0/2 cover letter).  Fixes the signed value-length
    check in the consumer, xfs_attr_copy_value(), which is the root
    cause Darrick pointed at in his review of the v1 verifier patch.

 fs/xfs/libxfs/xfs_attr_leaf.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
index 86c5c09a5db4..d0f7753659c9 100644
--- a/fs/xfs/libxfs/xfs_attr_leaf.c
+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
@@ -628,6 +628,17 @@ xfs_attr_copy_value(
 	unsigned char		*value,
 	int			valuelen)
 {
+	/*
+	 * A value length that is negative or larger than the maximum xattr
+	 * size is on-disk corruption.  The remote value length is an on-disk
+	 * __be32 stored into the signed args->rmtvaluelen, so a crafted value
+	 * such as 0x80000000 becomes negative and would slip past the
+	 * "args->valuelen < valuelen" check below and be used as a copy
+	 * length.  Reject it before that can happen.
+	 */
+	if (valuelen < 0 || valuelen > XFS_XATTR_SIZE_MAX)
+		return -EFSCORRUPTED;
+
 	/*
 	 * Parent pointer lookups require the caller to specify the name and
 	 * value, so don't copy anything.
-- 
2.53.0


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v2 2/2] xfs: reject remote xattr entries with an out-of-range value length
  2026-07-07 19:00 ` [PATCH v2 0/2] xfs: fix out-of-range remote xattr " Aldo Ariel Panzardo
  2026-07-07 19:00   ` [PATCH v2 1/2] xfs: reject out-of-range attribute value lengths in xfs_attr_copy_value Aldo Ariel Panzardo
@ 2026-07-07 19:00   ` Aldo Ariel Panzardo
  1 sibling, 0 replies; 5+ messages in thread
From: Aldo Ariel Panzardo @ 2026-07-07 19:00 UTC (permalink / raw)
  To: linux-xfs, Carlos Maiolino
  Cc: Darrick J . Wong, linux-kernel, Aldo Ariel Panzardo, stable

xfs_attr3_leaf_verify_entry() validates a remote attribute entry's name
but never bounds its on-disk value length (xfs_attr_leaf_name_remote.
valuelen, a __be32). A crafted leaf with valuelen = 0x80000000 passes
the verifier and the CRC.

That length is later assigned into the signed int args->rmtvaluelen
(xfs_attr3_leaf_getvalue), becoming negative, which slips past the signed
-ERANGE check in xfs_attr_copy_value(); a getxattr() with a small buffer
then memcpy()s a full remote block into the small kvalue buffer
(xfs_attr_rmtval_copyout) -- a heap out-of-bounds write with
attacker-controlled content, from an unprivileged getxattr(2) on a
mounted crafted image.

Reject remote entries whose value length exceeds XFS_XATTR_SIZE_MAX in
the leaf verifier, so the malicious block is rejected at read time.

Fixes: c84760659dcf ("xfs: check attribute leaf block structure")
Cc: <stable@vger.kernel.org>
Signed-off-by: Aldo Ariel Panzardo <qwe.aldo@gmail.com>
---
v2: cc stable (per Darrick).  Now 2/2 of a series: 1/2 fixes the signed
    value-length check in xfs_attr_copy_value(); this read-time verifier
    fix is otherwise unchanged from v1.

 fs/xfs/libxfs/xfs_attr_leaf.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
index d0f7753659c9..948dc8b26fe6 100644
--- a/fs/xfs/libxfs/xfs_attr_leaf.c
+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
@@ -339,6 +339,8 @@ xfs_attr3_leaf_verify_entry(
 		if (!(ent->flags & XFS_ATTR_INCOMPLETE) &&
 		    rentry->valueblk == 0)
 			return __this_address;
+		if (be32_to_cpu(rentry->valuelen) > XFS_XATTR_SIZE_MAX)
+			return __this_address;
 	}
 
 	if (name_end > buf_end)
-- 
2.53.0


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-07-07 19:00 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-07-07 14:01 [PATCH] xfs: reject remote xattr entries with an out-of-range value length Aldo Ariel Panzardo
2026-07-07 16:36 ` Darrick J. Wong
2026-07-07 19:00 ` [PATCH v2 0/2] xfs: fix out-of-range remote xattr " Aldo Ariel Panzardo
2026-07-07 19:00   ` [PATCH v2 1/2] xfs: reject out-of-range attribute value lengths in xfs_attr_copy_value Aldo Ariel Panzardo
2026-07-07 19:00   ` [PATCH v2 2/2] xfs: reject remote xattr entries with an out-of-range value length Aldo Ariel Panzardo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox