[PATCH] xattr: restrict vfs_getxattr_alloc() allocation size

Serge E. Hallyn serge at hallyn.com
Tue Mar 5 15:17:53 UTC 2024


On Tue, Mar 05, 2024 at 01:27:06PM +0100, Christian Brauner wrote:
> The vfs_getxattr_alloc() interface is a special-purpose in-kernel api
> that does a racy query-size+allocate-buffer+retrieve-data. It is used by
> EVM, IMA, and fscaps to retrieve xattrs. Recently, we've seen issues
> where 9p returned values that amount to allocating about 8000GB worth of
> memory (cf. [1]). That's now fixed in 9p. But vfs_getxattr_alloc() has
> no reason to allow getting xattr values that are larger than
> XATTR_MAX_SIZE as that's the limit we use for setting and getting xattr
> values and nothing currently goes beyond that limit afaict. Let it check
> for that and reject requests that are larger than that.
> 
> Link: https://lore.kernel.org/r/ZeXcQmHWcYvfCR93@do-x1extreme [1]
> Signed-off-by: Christian Brauner <brauner at kernel.org>

Acked-by: Serge Hallyn <serge at hallyn.com>

> ---
>  fs/xattr.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/fs/xattr.c b/fs/xattr.c
> index 09d927603433..a53c930e3018 100644
> --- a/fs/xattr.c
> +++ b/fs/xattr.c
> @@ -395,6 +395,9 @@ vfs_getxattr_alloc(struct mnt_idmap *idmap, struct dentry *dentry,
>  	if (error < 0)
>  		return error;
>  
> +	if (error > XATTR_SIZE_MAX)
> +		return -E2BIG;
> +
>  	if (!value || (error > xattr_size)) {
>  		value = krealloc(*xattr_value, error + 1, flags);
>  		if (!value)
> -- 
> 2.43.0
> 



More information about the Linux-security-module-archive mailing list