From: Gao Xiang <hsiangkao@redhat.com>
To: "Darrick J. Wong" <darrick.wong@oracle.com>
Cc: linux-xfs@vger.kernel.org, Brian Foster <bfoster@redhat.com>,
Dave Chinner <david@fromorbit.com>
Subject: Re: [PATCH v4 1/2] xfs: avoid LR buffer overrun due to crafted h_len
Date: Thu, 24 Sep 2020 00:52:58 +0800 [thread overview]
Message-ID: <20200923165258.GA28205@xiangao.remote.csb> (raw)
In-Reply-To: <20200923163540.GU7955@magnolia>
On Wed, Sep 23, 2020 at 09:35:40AM -0700, Darrick J. Wong wrote:
> On Thu, Sep 17, 2020 at 01:13:40PM +0800, Gao Xiang wrote:
> > Currently, crafted h_len has been blocked for the log
> > header of the tail block in commit a70f9fe52daa ("xfs:
> > detect and handle invalid iclog size set by mkfs").
> >
> > However, each log record could still have crafted h_len
> > and cause log record buffer overrun. So let's check
> > h_len vs buffer size for each log record as well.
> >
> > Signed-off-by: Gao Xiang <hsiangkao@redhat.com>
>
> /me squints real hard and thinks he understands what this patch does.
>
> Tighten up xlog_valid_rec_header, and add a new callsite in the middle
> of xlog_do_recovery_pass instead of the insufficient length checking.
> Assuming that's right,
>
> Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Thanks for the review!
The main point is to check each individual LR h_len against LR buffer
size allocated first in xlog_do_recovery_pass() to avoid buffer
overflow triggered by CRC calc or follow-up steps (details in
https://lore.kernel.org/linux-xfs/20200902224726.GB4671@xiangao.remote.csb/ ).
no new callsite (just move the callsite after original workaround
code). Anyway, that is just a buffer overflow issue can be triggered
by corrupted log. Just a minor stuff but security guyes could also
keep eyes on such thing. I think that is right. :)
Thanks,
Gao Xiang
>
> --D
next prev parent reply other threads:[~2020-09-23 16:53 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-17 5:13 [PATCH v2 0/2] xfs: random patches on log recovery Gao Xiang
2020-09-17 5:13 ` [PATCH v4 1/2] xfs: avoid LR buffer overrun due to crafted h_len Gao Xiang
2020-09-22 15:22 ` Brian Foster
2020-09-22 15:28 ` Gao Xiang
2020-09-23 16:35 ` Darrick J. Wong
2020-09-23 16:52 ` Gao Xiang [this message]
2020-09-17 5:13 ` [PATCH v3 2/2] xfs: clean up calculation of LR header blocks Gao Xiang
2020-09-22 15:22 ` Brian Foster
2020-09-22 15:32 ` Gao Xiang
2020-09-22 15:53 ` [PATCH v3.2] " Gao Xiang
2020-09-23 16:32 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200923165258.GA28205@xiangao.remote.csb \
--to=hsiangkao@redhat.com \
--cc=bfoster@redhat.com \
--cc=darrick.wong@oracle.com \
--cc=david@fromorbit.com \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.