Re: [PATCH] ovl: fix trusted xattr escape prefix matching

From: Amir Goldstein

Date: Wed Jul 08 2026 - 06:32:54 EST


On Wed, Jul 8, 2026 at 10:22 AM Yichong Chen <chenyichong@xxxxxxxxxxxxx> wrote:
>
> In the trusted.* xattr namespace, ovl_is_escaped_xattr() compares
> one byte less than the escaped overlay xattr prefix length. This makes
> it match "trusted.overlay.overlay" without requiring the trailing dot.
>
> As a result, an xattr such as "trusted.overlay.overlayfoo" is
> incorrectly treated as an escaped overlay xattr. This can be reproduced
> by setting "trusted.overlay.overlayfoo" on a lower file and listing xattrs
> through an overlay mount. listxattr() then exposes it as
> "trusted.overlay.oo", and a following getxattr() on that listed name fails
> with ENODATA.
>
> Compare the full escaped prefix, including the trailing dot, so
> similarly-prefixed private xattrs are not misclassified.
>
> Fixes: dad02fad84cbc ("ovl: Support escaped overlay.* xattrs")
> Signed-off-by: Yichong Chen <chenyichong@xxxxxxxxxxxxx>

Reviewed-by: Amir Goldstein <amir73il@xxxxxxxxx>


Christian,

Would you mind applying this fix via vfs.fixes?

Thanks,
Amir.

> ---
> fs/overlayfs/xattrs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/overlayfs/xattrs.c b/fs/overlayfs/xattrs.c
> index aa95855c7023..859e80ae6f40 100644
> --- a/fs/overlayfs/xattrs.c
> +++ b/fs/overlayfs/xattrs.c
> @@ -13,7 +13,7 @@ static bool ovl_is_escaped_xattr(struct super_block *sb, const char *name)
> OVL_XATTR_ESCAPE_USER_PREFIX_LEN) == 0;
> else
> return strncmp(name, OVL_XATTR_ESCAPE_TRUSTED_PREFIX,
> - OVL_XATTR_ESCAPE_TRUSTED_PREFIX_LEN - 1) == 0;
> + OVL_XATTR_ESCAPE_TRUSTED_PREFIX_LEN) == 0;
> }
>
> static bool ovl_is_own_xattr(struct super_block *sb, const char *name)
> --
> 2.51.0
>