All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] ubifs: ubifs_link: Fix wrong name len calculating when UBIFS is encrypted
@ 2023-09-23  3:28 ` Zhihao Cheng
  0 siblings, 0 replies; 3+ messages in thread
From: Zhihao Cheng @ 2023-09-23  3:28 UTC (permalink / raw)
  To: richard, roland.ruckerbauer, david; +Cc: linux-mtd, linux-kernel, chengzhihao1

The length of dentry name is calculated after the raw name is encrypted,
except for ubifs_link(), which could make the size of dir underflow.
Here is a reproducer:

 touch $TMP/file
 mkdir $TMP/dir
 stat $TMP/dir
 for i in $(seq 1 8)
 do
   ln $TMP/file $TMP/dir/$i
   unlink $TMP/dir/$i
 done
 stat $TMP/dir

The size of dir will be underflow(-96).

Fix it by calculating dentry name's length after the name is encrypted.

Fixes: f4f61d2cc6d8 ("ubifs: Implement encrypted filenames")
Reported-by: Roland Ruckerbauer <roland.ruckerbauer@robart.cc>
Link: https://lore.kernel.org/linux-mtd/1638777819.2925845.1695222544742.JavaMail.zimbra@robart.cc/T/#u
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
---
 fs/ubifs/dir.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
index 2f48c58d47cd..5dc1ac4d826d 100644
--- a/fs/ubifs/dir.c
+++ b/fs/ubifs/dir.c
@@ -724,7 +724,7 @@ static int ubifs_link(struct dentry *old_dentry, struct inode *dir,
 	struct inode *inode = d_inode(old_dentry);
 	struct ubifs_inode *ui = ubifs_inode(inode);
 	struct ubifs_inode *dir_ui = ubifs_inode(dir);
-	int err, sz_change = CALC_DENT_SIZE(dentry->d_name.len);
+	int err, sz_change;
 	struct ubifs_budget_req req = { .new_dent = 1, .dirtied_ino = 2,
 				.dirtied_ino_d = ALIGN(ui->data_len, 8) };
 	struct fscrypt_name nm;
@@ -748,6 +748,8 @@ static int ubifs_link(struct dentry *old_dentry, struct inode *dir,
 	if (err)
 		return err;
 
+	sz_change = CALC_DENT_SIZE(fname_len(&nm));
+
 	err = dbg_check_synced_i_size(c, inode);
 	if (err)
 		goto out_fname;
-- 
2.39.2


______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH] ubifs: ubifs_link: Fix wrong name len calculating when UBIFS is encrypted
@ 2023-09-23  3:28 ` Zhihao Cheng
  0 siblings, 0 replies; 3+ messages in thread
From: Zhihao Cheng @ 2023-09-23  3:28 UTC (permalink / raw)
  To: richard, roland.ruckerbauer, david; +Cc: linux-mtd, linux-kernel, chengzhihao1

The length of dentry name is calculated after the raw name is encrypted,
except for ubifs_link(), which could make the size of dir underflow.
Here is a reproducer:

 touch $TMP/file
 mkdir $TMP/dir
 stat $TMP/dir
 for i in $(seq 1 8)
 do
   ln $TMP/file $TMP/dir/$i
   unlink $TMP/dir/$i
 done
 stat $TMP/dir

The size of dir will be underflow(-96).

Fix it by calculating dentry name's length after the name is encrypted.

Fixes: f4f61d2cc6d8 ("ubifs: Implement encrypted filenames")
Reported-by: Roland Ruckerbauer <roland.ruckerbauer@robart.cc>
Link: https://lore.kernel.org/linux-mtd/1638777819.2925845.1695222544742.JavaMail.zimbra@robart.cc/T/#u
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
---
 fs/ubifs/dir.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
index 2f48c58d47cd..5dc1ac4d826d 100644
--- a/fs/ubifs/dir.c
+++ b/fs/ubifs/dir.c
@@ -724,7 +724,7 @@ static int ubifs_link(struct dentry *old_dentry, struct inode *dir,
 	struct inode *inode = d_inode(old_dentry);
 	struct ubifs_inode *ui = ubifs_inode(inode);
 	struct ubifs_inode *dir_ui = ubifs_inode(dir);
-	int err, sz_change = CALC_DENT_SIZE(dentry->d_name.len);
+	int err, sz_change;
 	struct ubifs_budget_req req = { .new_dent = 1, .dirtied_ino = 2,
 				.dirtied_ino_d = ALIGN(ui->data_len, 8) };
 	struct fscrypt_name nm;
@@ -748,6 +748,8 @@ static int ubifs_link(struct dentry *old_dentry, struct inode *dir,
 	if (err)
 		return err;
 
+	sz_change = CALC_DENT_SIZE(fname_len(&nm));
+
 	err = dbg_check_synced_i_size(c, inode);
 	if (err)
 		goto out_fname;
-- 
2.39.2


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [EXT] [PATCH] ubifs: ubifs_link: Fix wrong name len calculating when UBIFS is encrypted
  2023-09-23  3:28 ` Zhihao Cheng
  (?)
@ 2023-09-25  8:33 ` Roland Ruckerbauer
  -1 siblings, 0 replies; 3+ messages in thread
From: Roland Ruckerbauer @ 2023-09-25  8:33 UTC (permalink / raw)
  To: Zhihao Cheng; +Cc: linux-mtd

Wow, thanks for the very fast response!

I will backport + test this with the current kernel I am using,
and maybe on upstream if its not too much work to get it going on the device I am using.

Running it over night always produced the corruption, so it should be a good test.

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-09-25  8:34 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-23  3:28 [PATCH] ubifs: ubifs_link: Fix wrong name len calculating when UBIFS is encrypted Zhihao Cheng
2023-09-23  3:28 ` Zhihao Cheng
2023-09-25  8:33 ` [EXT] " Roland Ruckerbauer

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.