From 0fbff50fde1169e6e1ba186b7b8325c31f3c5074 Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Wed, 10 Aug 2022 13:32:32 +0200
Subject: [PATCH] Limit xattr section size to 4k

This means we're not using potentially unbounded kernel memory for the
inode for the xattrs. I think in practice we're not going to see such
large xattrs anyway, they are mainly used to store things like ACLs,
file caps or selinux contexts.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
---
 kernel/cfs-reader.c        | 4 ++++
 kernel/cfs.h               | 1 +
 libcomposefs/lcfs-writer.c | 7 +++++++
 libcomposefs/lcfs.h        | 1 +
 4 files changed, 13 insertions(+)

diff --git a/kernel/cfs-reader.c b/kernel/cfs-reader.c
index 5c53a16c..1e1cf143 100644
--- a/kernel/cfs-reader.c
+++ b/kernel/cfs-reader.c
@@ -492,6 +492,10 @@ struct cfs_xattr_header_s *cfs_get_xattrs(struct cfs_context_s *ctx,
 	if (ino->xattrs.len < sizeof(struct cfs_xattr_header_s))
 		return ERR_PTR(-EFSCORRUPTED);
 
+	/* Don't allocate arbitriary size xattrs */
+	if (ino->xattrs.len > CFS_MAX_XATTRS_SIZE)
+		return ERR_PTR(-EFSCORRUPTED);
+
 	xattrs = cfs_alloc_vdata(ctx, ino->xattrs);
 	if (IS_ERR(xattrs))
 		return ERR_CAST(xattrs);
diff --git a/kernel/cfs.h b/kernel/cfs.h
index aa448e98..390e116c 100644
--- a/kernel/cfs.h
+++ b/kernel/cfs.h
@@ -28,6 +28,7 @@
 #define CFS_MAGIC 0xc078629aU
 
 #define CFS_MAX_DIR_CHUNK_SIZE 4096
+#define CFS_MAX_XATTRS_SIZE 4096
 
 static inline u16 cfs_u16_to_file(u16 val)
 {
diff --git a/libcomposefs/lcfs-writer.c b/libcomposefs/lcfs-writer.c
index 9199b633..bd711329 100644
--- a/libcomposefs/lcfs-writer.c
+++ b/libcomposefs/lcfs-writer.c
@@ -512,6 +512,13 @@ static int compute_xattrs(struct lcfs_ctx_s *ctx)
 		}
 		header_len = lcfs_xattr_header_size(node->n_xattrs);
 		buffer_len = header_len + data_length;
+
+		/* Limit to max xattrs size */
+		if (buffer_len > LCFS_MAX_XATTRS_SIZE) {
+			errno = EINVAL;
+			return -1;
+		}
+
 		buffer = calloc(1, buffer_len);
 		if (buffer == NULL) {
 			errno = ENOMEM;
diff --git a/libcomposefs/lcfs.h b/libcomposefs/lcfs.h
index 0ed79e93..c5294822 100644
--- a/libcomposefs/lcfs.h
+++ b/libcomposefs/lcfs.h
@@ -28,6 +28,7 @@
 #define LCFS_DIGEST_SIZE 32
 
 #define LCFS_MAX_DIR_CHUNK_SIZE 4096
+#define LCFS_MAX_XATTRS_SIZE 4096
 
 #define LCFS_MAX_NAME_LENGTH 255 /* max len of file name excluding NULL */