[PATCH] erofs-utils: lib: fix global-buffer-overflow due to invalid device

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] erofs-utils: lib: fix global-buffer-overflow due to invalid device
@ 2024-08-08 16:03 Gao Xiang
  2024-08-08 17:15 ` Sandeep Dhavale via Linux-erofs
  0 siblings, 1 reply; 4+ messages in thread
From: Gao Xiang @ 2024-08-08 16:03 UTC (permalink / raw)
  To: linux-erofs; +Cc: Gao Xiang

Fuzzer generates an image with crafted chunks of some invalid device.
Also refine the printed message of EOD.

Closes: https://github.com/erofs/erofsnightly/actions/runs/10172576269/job/28135408276
Closes: https://github.com/erofs/erofs-utils/issues/11
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
---
 lib/io.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/io.c b/lib/io.c
index 6bfae69..fbeff03 100644
--- a/lib/io.c
+++ b/lib/io.c
@@ -342,6 +342,10 @@ ssize_t erofs_dev_read(struct erofs_sb_info *sbi, int device_id,
 	ssize_t read;
 
 	if (device_id) {
+		if (device_id >= sbi->nblobs) {
+			erofs_err("invalid device id %u", device_id);
+			return -EIO;
+		}
 		read = erofs_io_pread(&((struct erofs_vfile) {
 				.fd = sbi->blobfd[device_id - 1],
 			}), buf, offset, len);
@@ -352,7 +356,8 @@ ssize_t erofs_dev_read(struct erofs_sb_info *sbi, int device_id,
 	if (read < 0)
 		return read;
 	if (read < len) {
-		erofs_info("reach EOF of device, pading with zeroes");
+		erofs_info("reach EOF of device @ %llu, pading with zeroes",
+			   offset | 0ULL);
 		memset(buf + read, 0, len - read);
 	}
 	return 0;
-- 
2.43.5


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] erofs-utils: lib: fix global-buffer-overflow due to invalid device
  2024-08-08 16:03 [PATCH] erofs-utils: lib: fix global-buffer-overflow due to invalid device Gao Xiang
@ 2024-08-08 17:15 ` Sandeep Dhavale via Linux-erofs
  2024-08-08 17:44   ` Gao Xiang
  0 siblings, 1 reply; 4+ messages in thread
From: Sandeep Dhavale via Linux-erofs @ 2024-08-08 17:15 UTC (permalink / raw)
  To: Gao Xiang; +Cc: linux-erofs

On Thu, Aug 8, 2024 at 9:04 AM Gao Xiang <hsiangkao@linux.alibaba.com> wrote:
>
> Fuzzer generates an image with crafted chunks of some invalid device.
> Also refine the printed message of EOD.
>
> Closes: https://github.com/erofs/erofsnightly/actions/runs/10172576269/job/28135408276
> Closes: https://github.com/erofs/erofs-utils/issues/11
> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
> ---
>  lib/io.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/lib/io.c b/lib/io.c
> index 6bfae69..fbeff03 100644
> --- a/lib/io.c
> +++ b/lib/io.c
> @@ -342,6 +342,10 @@ ssize_t erofs_dev_read(struct erofs_sb_info *sbi, int device_id,
>         ssize_t read;
>
>         if (device_id) {
> +               if (device_id >= sbi->nblobs) {
> +                       erofs_err("invalid device id %u", device_id);
> +                       return -EIO;
> +               }
>                 read = erofs_io_pread(&((struct erofs_vfile) {
>                                 .fd = sbi->blobfd[device_id - 1],
>                         }), buf, offset, len);
> @@ -352,7 +356,8 @@ ssize_t erofs_dev_read(struct erofs_sb_info *sbi, int device_id,
>         if (read < 0)
>                 return read;
>         if (read < len) {
> -               erofs_info("reach EOF of device, pading with zeroes");
> +               erofs_info("reach EOF of device @ %llu, pading with zeroes",
> +                          offset | 0ULL);
nit: typo carried over from previous log. s/pading/padding

>                 memset(buf + read, 0, len - read);
>         }
>         return 0;
> --
> 2.43.5
>

Reviewed-by: Sandeep Dhavale <dhavale@google.com>

Thanks,
Sandeep.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] erofs-utils: lib: fix global-buffer-overflow due to invalid device
  2024-08-08 17:15 ` Sandeep Dhavale via Linux-erofs
@ 2024-08-08 17:44   ` Gao Xiang
  2024-08-08 17:55     ` Sandeep Dhavale via Linux-erofs
  0 siblings, 1 reply; 4+ messages in thread
From: Gao Xiang @ 2024-08-08 17:44 UTC (permalink / raw)
  To: Sandeep Dhavale; +Cc: Gao Xiang, linux-erofs

Hi Sandeep,

On Thu, Aug 08, 2024 at 10:15:31AM -0700, Sandeep Dhavale via Linux-erofs wrote:
> On Thu, Aug 8, 2024 at 9:04 AM Gao Xiang <hsiangkao@linux.alibaba.com> wrote:
> >
> > Fuzzer generates an image with crafted chunks of some invalid device.
> > Also refine the printed message of EOD.
> >
> > Closes: https://github.com/erofs/erofsnightly/actions/runs/10172576269/job/28135408276
> > Closes: https://github.com/erofs/erofs-utils/issues/11
> > Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
> > ---
> >  lib/io.c | 7 ++++++-
> >  1 file changed, 6 insertions(+), 1 deletion(-)
> >
> > diff --git a/lib/io.c b/lib/io.c
> > index 6bfae69..fbeff03 100644
> > --- a/lib/io.c
> > +++ b/lib/io.c
> > @@ -342,6 +342,10 @@ ssize_t erofs_dev_read(struct erofs_sb_info *sbi, int device_id,
> >         ssize_t read;
> >
> >         if (device_id) {
> > +               if (device_id >= sbi->nblobs) {
> > +                       erofs_err("invalid device id %u", device_id);
> > +                       return -EIO;
> > +               }
> >                 read = erofs_io_pread(&((struct erofs_vfile) {
> >                                 .fd = sbi->blobfd[device_id - 1],
> >                         }), buf, offset, len);
> > @@ -352,7 +356,8 @@ ssize_t erofs_dev_read(struct erofs_sb_info *sbi, int device_id,
> >         if (read < 0)
> >                 return read;
> >         if (read < len) {
> > -               erofs_info("reach EOF of device, pading with zeroes");
> > +               erofs_info("reach EOF of device @ %llu, pading with zeroes",
> > +                          offset | 0ULL);
> nit: typo carried over from previous log. s/pading/padding

Thanks for catching this!

> 
> >                 memset(buf + read, 0, len - read);
> >         }
> >         return 0;
> > --
> > 2.43.5
> >
> 
> Reviewed-by: Sandeep Dhavale <dhavale@google.com>

I'm about to releasing erofs-utils 1.8 today (it already takes much
long time than expected, I don't want to hold it anymore), so the
code is freezed for now.

I will tag v1.8 soon, and write an announcement mail hours later.

Thanks,
Gao Xiang

> 
> Thanks,
> Sandeep.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] erofs-utils: lib: fix global-buffer-overflow due to invalid device
  2024-08-08 17:44   ` Gao Xiang
@ 2024-08-08 17:55     ` Sandeep Dhavale via Linux-erofs
  0 siblings, 0 replies; 4+ messages in thread
From: Sandeep Dhavale via Linux-erofs @ 2024-08-08 17:55 UTC (permalink / raw)
  To: Sandeep Dhavale, Gao Xiang, linux-erofs

On Thu, Aug 8, 2024 at 10:45 AM Gao Xiang <xiang@kernel.org> wrote:
>
> Hi Sandeep,
>
> On Thu, Aug 08, 2024 at 10:15:31AM -0700, Sandeep Dhavale via Linux-erofs wrote:
> > On Thu, Aug 8, 2024 at 9:04 AM Gao Xiang <hsiangkao@linux.alibaba.com> wrote:
> > >
> > > Fuzzer generates an image with crafted chunks of some invalid device.
> > > Also refine the printed message of EOD.
> > >
> > > Closes: https://github.com/erofs/erofsnightly/actions/runs/10172576269/job/28135408276
> > > Closes: https://github.com/erofs/erofs-utils/issues/11
> > > Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
> > > ---
> > >  lib/io.c | 7 ++++++-
> > >  1 file changed, 6 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/lib/io.c b/lib/io.c
> > > index 6bfae69..fbeff03 100644
> > > --- a/lib/io.c
> > > +++ b/lib/io.c
> > > @@ -342,6 +342,10 @@ ssize_t erofs_dev_read(struct erofs_sb_info *sbi, int device_id,
> > >         ssize_t read;
> > >
> > >         if (device_id) {
> > > +               if (device_id >= sbi->nblobs) {
> > > +                       erofs_err("invalid device id %u", device_id);
> > > +                       return -EIO;
> > > +               }
> > >                 read = erofs_io_pread(&((struct erofs_vfile) {
> > >                                 .fd = sbi->blobfd[device_id - 1],
> > >                         }), buf, offset, len);
> > > @@ -352,7 +356,8 @@ ssize_t erofs_dev_read(struct erofs_sb_info *sbi, int device_id,
> > >         if (read < 0)
> > >                 return read;
> > >         if (read < len) {
> > > -               erofs_info("reach EOF of device, pading with zeroes");
> > > +               erofs_info("reach EOF of device @ %llu, pading with zeroes",
> > > +                          offset | 0ULL);
> > nit: typo carried over from previous log. s/pading/padding
>
> Thanks for catching this!
>
> >
> > >                 memset(buf + read, 0, len - read);
> > >         }
> > >         return 0;
> > > --
> > > 2.43.5
> > >
> >
> > Reviewed-by: Sandeep Dhavale <dhavale@google.com>
>
> I'm about to releasing erofs-utils 1.8 today (it already takes much
> long time than expected, I don't want to hold it anymore), so the
> code is freezed for now.
>
Hi Gao,
No problem. Just caught my eyes, it's only cosmetic anyways.

> I will tag v1.8 soon, and write an announcement mail hours later.
>
Thank you!

Regards,
Sandeep.

> Thanks,
> Gao Xiang
>
> >
> > Thanks,
> > Sandeep.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2024-08-08 17:55 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-08 16:03 [PATCH] erofs-utils: lib: fix global-buffer-overflow due to invalid device Gao Xiang
2024-08-08 17:15 ` Sandeep Dhavale via Linux-erofs
2024-08-08 17:44   ` Gao Xiang
2024-08-08 17:55     ` Sandeep Dhavale via Linux-erofs

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.