40 lines
1.3 KiB
Diff
40 lines
1.3 KiB
Diff
From: Shankara Pailoor <shankarapailoor@gmail.com>
|
|
Date: Tue, 5 Jun 2018 08:33:27 -0500
|
|
Subject: jfs: Fix inconsistency between memory allocation and ea_buf->max_size
|
|
Origin: https://git.kernel.org/linus/92d34134193e5b129dc24f8d79cb9196626e8d7a
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12233
|
|
|
|
The code is assuming the buffer is max_size length, but we weren't
|
|
allocating enough space for it.
|
|
|
|
Signed-off-by: Shankara Pailoor <shankarapailoor@gmail.com>
|
|
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
|
|
---
|
|
fs/jfs/xattr.c | 10 ++++++----
|
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
|
|
|
--- a/fs/jfs/xattr.c
|
|
+++ b/fs/jfs/xattr.c
|
|
@@ -491,15 +491,17 @@ static int ea_get(struct inode *inode, s
|
|
if (size > PSIZE) {
|
|
/*
|
|
* To keep the rest of the code simple. Allocate a
|
|
- * contiguous buffer to work with
|
|
+ * contiguous buffer to work with. Make the buffer large
|
|
+ * enough to make use of the whole extent.
|
|
*/
|
|
- ea_buf->xattr = kmalloc(size, GFP_KERNEL);
|
|
+ ea_buf->max_size = (size + sb->s_blocksize - 1) &
|
|
+ ~(sb->s_blocksize - 1);
|
|
+
|
|
+ ea_buf->xattr = kmalloc(ea_buf->max_size, GFP_KERNEL);
|
|
if (ea_buf->xattr == NULL)
|
|
return -ENOMEM;
|
|
|
|
ea_buf->flag = EA_MALLOC;
|
|
- ea_buf->max_size = (size + sb->s_blocksize - 1) &
|
|
- ~(sb->s_blocksize - 1);
|
|
|
|
if (ea_size == 0)
|
|
return 0;
|