Hi Dave, Attached is my proposed patch. It solves the problem as you suggest and I don't see the KASAN complaint.
Regards, Shankara On Mon, Jun 4, 2018 at 11:24 AM, Dave Kleikamp <[email protected]> wrote: > On 06/01/2018 11:06 PM, shankarapailoor wrote: >> Hi, >> >> Looking at the crash some more, it seems that if value_len > PAGE_SIZE >> then e_buf->max_size is rounded up nearest page size [1]. If a new >> attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then >> no new space is allocated for the attiribute list [2] and this >> triggers the KASAN slab out of bounds error. This is the case in the C >> repro I provided. > > I see the problem. It looks like we should be calculating max_size > earlier and using that to call kmalloc(). (xattr.c#496) > > Shaggy >> >> >> 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 >> 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 >> >> On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor >> <[email protected]> wrote: >>> Hi Dave et al, >>> >>> I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: >>> slab-out-of-bounds in jfs_xattr. >>> >>> Attached are my kernel configs and a C reproducer. In the first >>> setxattr call it appears that length is much larger than the name. In >>> __jfs_setxattr, I don't see where the length is checked against the >>> actual value length. >>> >>> Regards, >>> Shankara Pailoor >> >> >> -- Regards, Shankara Pailoor
jfspatch
Description: Binary data
