Skip to content

Commit f39945c

Browse files
bmastbergenbmastbergen
committed
ext4: introduce ITAIL helper
jira VULN-65380 cve-pre CVE-2025-22121 commit-author Ye Bin <yebin10@huawei.com> commit 69f3a30 Introduce ITAIL helper to get the bound of xattr in inode. Signed-off-by: Ye Bin <yebin10@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://patch.msgid.link/20250208063141.1539283-2-yebin@huaweicloud.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> (cherry picked from commit 69f3a30) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
1 parent bd76a2b commit f39945c

File tree

2 files changed

+8
-5
lines changed

2 files changed

+8
-5
lines changed

fs/ext4/xattr.c

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -638,7 +638,7 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
638638
return error;
639639
raw_inode = ext4_raw_inode(&iloc);
640640
header = IHDR(inode, raw_inode);
641-
end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
641+
end = ITAIL(inode, raw_inode);
642642
error = xattr_check_inode(inode, header, end);
643643
if (error)
644644
goto cleanup;
@@ -783,7 +783,7 @@ ext4_xattr_ibody_list(struct dentry *dentry, char *buffer, size_t buffer_size)
783783
return error;
784784
raw_inode = ext4_raw_inode(&iloc);
785785
header = IHDR(inode, raw_inode);
786-
end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
786+
end = ITAIL(inode, raw_inode);
787787
error = xattr_check_inode(inode, header, end);
788788
if (error)
789789
goto cleanup;
@@ -869,7 +869,7 @@ int ext4_get_inode_usage(struct inode *inode, qsize_t *usage)
869869
goto out;
870870
raw_inode = ext4_raw_inode(&iloc);
871871
header = IHDR(inode, raw_inode);
872-
end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
872+
end = ITAIL(inode, raw_inode);
873873
ret = xattr_check_inode(inode, header, end);
874874
if (ret)
875875
goto out;
@@ -2231,7 +2231,7 @@ int ext4_xattr_ibody_find(struct inode *inode, struct ext4_xattr_info *i,
22312231
header = IHDR(inode, raw_inode);
22322232
is->s.base = is->s.first = IFIRST(header);
22332233
is->s.here = is->s.first;
2234-
is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
2234+
is->s.end = ITAIL(inode, raw_inode);
22352235
if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
22362236
error = xattr_check_inode(inode, header, is->s.end);
22372237
if (error)
@@ -2748,7 +2748,7 @@ int ext4_expand_extra_isize_ea(struct inode *inode, int new_extra_isize,
27482748
*/
27492749

27502750
base = IFIRST(header);
2751-
end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
2751+
end = ITAIL(inode, raw_inode);
27522752
min_offs = end - base;
27532753
total_ino = sizeof(struct ext4_xattr_ibody_header) + sizeof(u32);
27542754

fs/ext4/xattr.h

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,9 @@ struct ext4_xattr_entry {
6868
((void *)raw_inode + \
6969
EXT4_GOOD_OLD_INODE_SIZE + \
7070
EXT4_I(inode)->i_extra_isize))
71+
#define ITAIL(inode, raw_inode) \
72+
((void *)(raw_inode) + \
73+
EXT4_SB((inode)->i_sb)->s_inode_size)
7174
#define IFIRST(hdr) ((struct ext4_xattr_entry *)((hdr)+1))
7275

7376
/*

0 commit comments

Comments
 (0)