orangefs: validate getxattr response length

Papya-j · hubcapsc · commit 092e0d0e9642 · 2026-04-07T11:28:19.000-04:00
orangefs_inode_getxattr() trusts the userspace-client-controlled
downcall.resp.getxattr.val_sz and uses it as a memcpy() length
both for the temporary user buffer and the cached xattr buffer.
Reject malformed negative or oversized lengths before copying
response bytes.

Reported-by: Hyungjung Joo &lt;jhj140711@gmail.com&gt;
Signed-off-by: HyungJung Joo &lt;jhj140711@gmail.com&gt;
Signed-off-by: Mike Marshall &lt;hubcap@omnibond.com&gt;
diff --git a/fs/orangefs/xattr.c b/fs/orangefs/xattr.c
@@ -188,6 +188,10 @@ ssize_t orangefs_inode_getxattr(struct inode *inode, const char *name,
 	 * Length returned includes null terminator.
 	 */
 	length = new_op->downcall.resp.getxattr.val_sz;
+	if (length < 0 || length > ORANGEFS_MAX_XATTR_VALUELEN) {
+		ret = -EIO;
+		goto out_release_op;
+	}
 
 	/*
 	 * Just return the length of the queried attribute.
