nfs: Fix getxattr kernel panic and memory overflow (89730466) · Commits · e / devices / android_kernel_fairphone_FP3

[ Upstream commit b4487b93545214a9db8cbf32e86411677b0cca21 ] Move the buffer size check to decode_attr_security_label() before memcpy() Only call memcpy() if the buffer is large enough Fixes: ("NFS: Client implementation of Labeled-NFS") Signed-off-by:

Jeffrey Mitchell <jeffrey.mitchell@starlab.io> [Trond: clean up duplicate test of label->len != 0] Signed-off-by:

Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by:

Sasha Levin <sashal@kernel.org>

fs/nfs/nfs4proc.c

+0 −2

Original line number	Diff line number	Diff line
		@@ -5212,8 +5212,6 @@ static int _nfs4_get_security_label(struct inode inode, void buf,
		return ret;
		if (!(fattr.valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL))
		return -ENOENT;
		if (buflen < label.len)
		return -ERANGE;
		return 0;
		}

fs/nfs/nfs4xdr.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -4163,7 +4163,11 @@ static int decode_attr_security_label(struct xdr_stream xdr, uint32_t bitmap,
		goto out_overflow;
		if (len < NFS4_MAXLABELLEN) {
		if (label) {
		if (label->len) {
		if (label->len < len)
		return -ERANGE;
		memcpy(label->label, p, len);
		}
		label->len = len;
		label->pi = pi;
		label->lfs = lfs;