orangefs: validate getxattr response length

orangefs_inode_getxattr() trusts the userspace-client-controlled downcall.resp.getxattr.val_sz and uses it as a memcpy() length both for the temporary user buffer and the cached xattr buffer. Reject malformed negative or oversized lengths before copying response bytes. Reported-by: Hyungjung Joo <jhj140711@gmail.com> Signed-off-by: HyungJung Joo <jhj140711@gmail.com> Signed-off-by: Mike Marshall <hubcap@omnibond.com>
author: HyungJung Joo <jhj140711@gmail.com> 2026-03-13 09:34:44 +0300
committer: Mike Marshall <hubcap@omnibond.com> 2026-04-07 18:28:19 +0300
commit: 092e0d0e964279feb9f43f81e8d1c52ef080d085 (patch)
tree: 20b7dfe812788387fa954af0c1b0284035486121
parent: 415e507cdefc510c01de8ab6644163327ee9a5d0 (diff)
download: linux-092e0d0e964279feb9f43f81e8d1c52ef080d085.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/orangefs/xattr.c b/fs/orangefs/xattr.c
index 1b372189cd10..b6d116302de4 100644
--- a/fs/orangefs/xattr.c
+++ b/fs/orangefs/xattr.c
@@ -188,6 +188,10 @@ ssize_t orangefs_inode_getxattr(struct inode *inode, const char *name,
 	 * Length returned includes null terminator.
 	 */
 	length = new_op->downcall.resp.getxattr.val_sz;
+	if (length < 0 || length > ORANGEFS_MAX_XATTR_VALUELEN) {
+		ret = -EIO;
+		goto out_release_op;
+	}
 
 	/*
 	 * Just return the length of the queried attribute.
author	HyungJung Joo <jhj140711@gmail.com>	2026-03-13 09:34:44 +0300
committer	Mike Marshall <hubcap@omnibond.com>	2026-04-07 18:28:19 +0300
commit	092e0d0e964279feb9f43f81e8d1c52ef080d085 (patch)
tree	20b7dfe812788387fa954af0c1b0284035486121
parent	415e507cdefc510c01de8ab6644163327ee9a5d0 (diff)
download	linux-092e0d0e964279feb9f43f81e8d1c52ef080d085.tar.xz