[PATCH] xattr: restrict vfs_getxattr_alloc() allocation size
Serge E. Hallyn
serge at hallyn.com
Tue Mar 5 15:17:53 UTC 2024
On Tue, Mar 05, 2024 at 01:27:06PM +0100, Christian Brauner wrote:
> The vfs_getxattr_alloc() interface is a special-purpose in-kernel api
> that does a racy query-size+allocate-buffer+retrieve-data. It is used by
> EVM, IMA, and fscaps to retrieve xattrs. Recently, we've seen issues
> where 9p returned values that amount to allocating about 8000GB worth of
> memory (cf. [1]). That's now fixed in 9p. But vfs_getxattr_alloc() has
> no reason to allow getting xattr values that are larger than
> XATTR_MAX_SIZE as that's the limit we use for setting and getting xattr
> values and nothing currently goes beyond that limit afaict. Let it check
> for that and reject requests that are larger than that.
>
> Link: https://lore.kernel.org/r/ZeXcQmHWcYvfCR93@do-x1extreme [1]
> Signed-off-by: Christian Brauner <brauner at kernel.org>
Acked-by: Serge Hallyn <serge at hallyn.com>
> ---
> fs/xattr.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/xattr.c b/fs/xattr.c
> index 09d927603433..a53c930e3018 100644
> --- a/fs/xattr.c
> +++ b/fs/xattr.c
> @@ -395,6 +395,9 @@ vfs_getxattr_alloc(struct mnt_idmap *idmap, struct dentry *dentry,
> if (error < 0)
> return error;
>
> + if (error > XATTR_SIZE_MAX)
> + return -E2BIG;
> +
> if (!value || (error > xattr_size)) {
> value = krealloc(*xattr_value, error + 1, flags);
> if (!value)
> --
> 2.43.0
>
More information about the Linux-security-module-archive
mailing list