From: Aldo Ariel Panzardo <qwe.aldo@gmail.com>
To: linux-xfs@vger.kernel.org, Carlos Maiolino <cem@kernel.org>
Cc: "Darrick J . Wong" <djwong@kernel.org>,
linux-kernel@vger.kernel.org,
Aldo Ariel Panzardo <qwe.aldo@gmail.com>,
stable@vger.kernel.org
Subject: [PATCH v2 2/2] xfs: reject remote xattr entries with an out-of-range value length
Date: Tue, 7 Jul 2026 16:00:38 -0300 [thread overview]
Message-ID: <20260707190038.3811440-3-qwe.aldo@gmail.com> (raw)
In-Reply-To: <20260707190038.3811440-1-qwe.aldo@gmail.com>
xfs_attr3_leaf_verify_entry() validates a remote attribute entry's name
but never bounds its on-disk value length (xfs_attr_leaf_name_remote.
valuelen, a __be32). A crafted leaf with valuelen = 0x80000000 passes
the verifier and the CRC.
That length is later assigned into the signed int args->rmtvaluelen
(xfs_attr3_leaf_getvalue), becoming negative, which slips past the signed
-ERANGE check in xfs_attr_copy_value(); a getxattr() with a small buffer
then memcpy()s a full remote block into the small kvalue buffer
(xfs_attr_rmtval_copyout) -- a heap out-of-bounds write with
attacker-controlled content, from an unprivileged getxattr(2) on a
mounted crafted image.
Reject remote entries whose value length exceeds XFS_XATTR_SIZE_MAX in
the leaf verifier, so the malicious block is rejected at read time.
Fixes: c84760659dcf ("xfs: check attribute leaf block structure")
Cc: <stable@vger.kernel.org>
Signed-off-by: Aldo Ariel Panzardo <qwe.aldo@gmail.com>
---
v2: cc stable (per Darrick). Now 2/2 of a series: 1/2 fixes the signed
value-length check in xfs_attr_copy_value(); this read-time verifier
fix is otherwise unchanged from v1.
fs/xfs/libxfs/xfs_attr_leaf.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
index d0f7753659c9..948dc8b26fe6 100644
--- a/fs/xfs/libxfs/xfs_attr_leaf.c
+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
@@ -339,6 +339,8 @@ xfs_attr3_leaf_verify_entry(
if (!(ent->flags & XFS_ATTR_INCOMPLETE) &&
rentry->valueblk == 0)
return __this_address;
+ if (be32_to_cpu(rentry->valuelen) > XFS_XATTR_SIZE_MAX)
+ return __this_address;
}
if (name_end > buf_end)
--
2.53.0
prev parent reply other threads:[~2026-07-07 19:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-07 14:01 [PATCH] " Aldo Ariel Panzardo
2026-07-07 16:36 ` Darrick J. Wong
2026-07-07 19:00 ` [PATCH v2 0/2] xfs: fix out-of-range remote xattr " Aldo Ariel Panzardo
2026-07-07 19:00 ` [PATCH v2 1/2] xfs: reject out-of-range attribute value lengths in xfs_attr_copy_value Aldo Ariel Panzardo
2026-07-07 19:00 ` Aldo Ariel Panzardo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260707190038.3811440-3-qwe.aldo@gmail.com \
--to=qwe.aldo@gmail.com \
--cc=cem@kernel.org \
--cc=djwong@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox