Limit xattr section size to 4k

This means we're not using potentially unbounded kernel memory for the inode for the xattrs. I think in practice we're not going to see such large xattrs anyway, they are mainly used to store things like ACLs, file caps or selinux contexts. Signed-off-by: Alexander Larsson <[email protected]>
containers · Aug 10, 2022 · 0fbff50 · 0fbff50
1 parent 884e6f2
commit 0fbff50
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 0 deletions.
diff --git a/kernel/cfs-reader.c b/kernel/cfs-reader.c
@@ -492,6 +492,10 @@ struct cfs_xattr_header_s *cfs_get_xattrs(struct cfs_context_s *ctx,
 	if (ino->xattrs.len < sizeof(struct cfs_xattr_header_s))
 		return ERR_PTR(-EFSCORRUPTED);
 
+	/* Don't allocate arbitriary size xattrs */
+	if (ino->xattrs.len > CFS_MAX_XATTRS_SIZE)
+		return ERR_PTR(-EFSCORRUPTED);
+
 	xattrs = cfs_alloc_vdata(ctx, ino->xattrs);
 	if (IS_ERR(xattrs))
 		return ERR_CAST(xattrs);

diff --git a/kernel/cfs.h b/kernel/cfs.h
@@ -28,6 +28,7 @@
 #define CFS_MAGIC 0xc078629aU
 
 #define CFS_MAX_DIR_CHUNK_SIZE 4096
+#define CFS_MAX_XATTRS_SIZE 4096
 
 static inline u16 cfs_u16_to_file(u16 val)
 {

diff --git a/libcomposefs/lcfs-writer.c b/libcomposefs/lcfs-writer.c
@@ -512,6 +512,13 @@ static int compute_xattrs(struct lcfs_ctx_s *ctx)
 		}
 		header_len = lcfs_xattr_header_size(node->n_xattrs);
 		buffer_len = header_len + data_length;
+
+		/* Limit to max xattrs size */
+		if (buffer_len > LCFS_MAX_XATTRS_SIZE) {
+			errno = EINVAL;
+			return -1;
+		}
+
 		buffer = calloc(1, buffer_len);
 		if (buffer == NULL) {
 			errno = ENOMEM;

diff --git a/libcomposefs/lcfs.h b/libcomposefs/lcfs.h
@@ -28,6 +28,7 @@
 #define LCFS_DIGEST_SIZE 32
 
 #define LCFS_MAX_DIR_CHUNK_SIZE 4096
+#define LCFS_MAX_XATTRS_SIZE 4096
 
 #define LCFS_MAX_NAME_LENGTH 255 /* max len of file name excluding NULL */