From f2d06d3c76a1d69447e7bd6fd29d8165be558d73 Mon Sep 17 00:00:00 2001
From: Mr NeilBrown <neilb@suse.de>
Date: Mon, 28 Oct 2019 12:24:26 +1100
Subject: [PATCH] LU-12911 llite: Don't access lov_md fields before size check

When 'struct lov_user_md' is passed in via setxattr, it comes with
a size.  If thatt size is too small, some function that check exactly
what version is present might access beyond the end of allocation
memory, which can have undesirable effects, such as triggering
a KASAN warning (and possibly worse).

So check that the size is sane before looking inside the structure
at all.

Signed-off-by: Mr NeilBrown <neilb@suse.de>
Change-Id: Ib3f071a3ff77a039fdfa38c903d87999108b3322
Reviewed-on: https://review.whamcloud.com/36589
Reviewed-by: James Simmons <jsimmons@infradead.org>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Shaun Tancheff <shaun.tancheff@hpe.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
---
 lustre/llite/xattr.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lustre/llite/xattr.c b/lustre/llite/xattr.c
index 0c50a59..829584d 100644
--- a/lustre/llite/xattr.c
+++ b/lustre/llite/xattr.c
@@ -283,6 +283,12 @@ static int ll_setstripe_ea(struct dentry *dentry, struct lov_user_md *lump,
 	if (!size && lump)
 		lump = NULL;
 
+	if (size && size < sizeof(*lump)) {
+		/* ll_adjust_lum() or ll_lov_user_md_size() might access
+		 * before size - just give up now.
+		 */
+		return -ERANGE;
+	}
 	rc = ll_adjust_lum(inode, lump);
 	if (rc)
 		return rc;
-- 
1.8.3.1