Re: [PATCH 2/2] e2fsck: fix use after free in calculate_tree()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: Wang Shilong <wangshilong1991@gmail.com>
Cc: linux-ext4@vger.kernel.org, adilger@dilger.ca, lixi@ddn.com,
	wshilong@ddn.com
Subject: Re: [PATCH 2/2] e2fsck: fix use after free in calculate_tree()
Date: Mon, 30 Dec 2019 19:57:13 -0500	[thread overview]
Message-ID: <20191231005713.GA3669@mit.edu> (raw)
In-Reply-To: <1574759039-7429-2-git-send-email-wangshilong1991@gmail.com>

Here is the version which I plan to use in e2fsprogs's maint branch.

     	    	    	    	 - Ted

commit aacc234471a9a0ab6d8d6f610a0e4996e9bfc785
Author: Wang Shilong <wshilong@ddn.com>
Date:   Mon Dec 30 19:52:39 2019 -0500

    e2fsck: fix use after free in calculate_tree()
    
    The problem is alloc_blocks() will call get_next_block() which might
    reallocate outdir->buf, and memory address could be changed after
    this.  To fix this, pointers that point into outdir->buf, such as
    int_limit and root need to be recaulated based on the new starting
    address of outdir->buf.
    
    [ Changed to correctly recalculate int_limit, and to optimize how we
      reallocate outdir->buf.  -TYT ]
    
    Signed-off-by: Wang Shilong <wshilong@ddn.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
index 392cfe9f..54bc6803 100644
--- a/e2fsck/rehash.c
+++ b/e2fsck/rehash.c
@@ -301,7 +301,11 @@ static errcode_t get_next_block(ext2_filsys fs, struct out_dir *outdir,
 	errcode_t	retval;
 
 	if (outdir->num >= outdir->max) {
-		retval = alloc_size_dir(fs, outdir, outdir->max + 50);
+		int increment = outdir->max / 10;
+
+		if (increment < 50)
+			increment = 50;
+		retval = alloc_size_dir(fs, outdir, outdir->max + increment);
 		if (retval)
 			return retval;
 	}
@@ -645,6 +649,9 @@ static int alloc_blocks(ext2_filsys fs,
 	if (retval)
 		return retval;
 
+	/* outdir->buf might be reallocated */
+	*prev_ent = (struct ext2_dx_entry *) (outdir->buf + *prev_offset);
+
 	*next_ent = set_int_node(fs, block_start);
 	*limit = (struct ext2_dx_countlimit *)(*next_ent);
 	if (next_offset)
@@ -734,6 +741,9 @@ static errcode_t calculate_tree(ext2_filsys fs,
 					return retval;
 			}
 			if (c3 == 0) {
+				int delta1 = (char *)int_limit - outdir->buf;
+				int delta2 = (char *)root - outdir->buf;
+
 				retval = alloc_blocks(fs, &limit, &int_ent,
 						      &dx_ent, &int_offset,
 						      NULL, outdir, i, &c2,
@@ -741,6 +751,11 @@ static errcode_t calculate_tree(ext2_filsys fs,
 				if (retval)
 					return retval;
 
+				/* outdir->buf might be reallocated */
+				int_limit = (struct ext2_dx_countlimit *)
+					(outdir->buf + delta1);
+				root = (struct ext2_dx_entry *)
+					(outdir->buf + delta2);
 			}
 			dx_ent->block = ext2fs_cpu_to_le32(i);
 			if (c3 != limit->limit)

next prev parent reply	other threads:[~2019-12-31  0:57 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-26  9:03 [PATCH 1/2] e2fsck: fix to return ENOMEM in alloc_size_dir() Wang Shilong
2019-11-26  9:03 ` [PATCH 2/2] e2fsck: fix use after free in calculate_tree() Wang Shilong
2019-12-30 11:38   ` Wang Shilong
2019-12-30 17:06   ` Theodore Y. Ts'o
2019-12-31  0:57   ` Theodore Y. Ts'o [this message]
2019-12-31  1:41     ` Wang Shilong
2019-12-31  3:11 ` [PATCH 1/2] e2fsck: fix to return ENOMEM in alloc_size_dir() Theodore Y. Ts'o

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:392cfe9 dfblob:54bc680 )
 OR (
bs:"Re: [PATCH 2/2] e2fsck: fix use after free in calculate_tree()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191231005713.GA3669@mit.edu \
    --to=tytso@mit.edu \
    --cc=adilger@dilger.ca \
    --cc=linux-ext4@vger.kernel.org \
    --cc=lixi@ddn.com \
    --cc=wangshilong1991@gmail.com \
    --cc=wshilong@ddn.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.