From: Stefan Behrens <sbehrens@giantdisaster.de>
To: Jeff Liu <jeff.liu@oracle.com>
Cc: kreijack@inwind.it, linux-btrfs@vger.kernel.org,
anand.jain@oracle.com, miaox@cn.fujitsu.com, dsterba@suse.cz
Subject: Re: [RFC PATCH v7 1/2] Btrfs: Add a new ioctl to get the label of a mounted file system
Date: Fri, 21 Dec 2012 09:50:03 +0100 [thread overview]
Message-ID: <50D422BB.3080204@giantdisaster.de> (raw)
In-Reply-To: <50D404B8.2000102@oracle.com>
On 12/21/2012 07:42, Jeff Liu wrote:
> On 12/21/2012 04:18 AM, Goffredo Baroncelli wrote:
>> On 12/20/2012 09:43 AM, Jeff Liu wrote:
>>> +static int btrfs_ioctl_get_fslabel(struct file *file, void __user *arg)
>>> +{
>>> + struct btrfs_root *root = BTRFS_I(fdentry(file)->d_inode)->root;
>>> + const char *label = root->fs_info->super_copy->label;
>>> + int ret;
>>> +
>>> + mutex_lock(&root->fs_info->volume_mutex);
>>> + ret = copy_to_user(arg, label, strlen(label));
>>
>> Sorry for pointing out my doubt too late, but should we trust
>> super_copy->label ?
>> An user could insert a usb-key with a btrfs filesystem with a label
>> without zero. In this case strlen() could access outside
>> super_copy->label[].
> Thank you for letting me be aware of this situation.
>
> First of all, if the user set label via btrfs tools, he can not make it
> length exceeding BTRFS_LABLE_SIZE - 1.
>
> If the user does that through codes wrote by himself like:
> btrfslabel.c->set_label_unmounted(), he can do that.
> However, it most likely he did that for evil purpose or any other reasons?
>>
>> I think that it should be quite easy to alter artificially a filesystem
>> to crash the kernel. So I not consider this as big problem. However *in
>> case* of a further cycle of this patch I suggest to replace strlen()
>> with strnlen().
> I don't think we should replace strlen() with strnlen() since it's
> totally wrong if the length of label is more than BTRFS_LABEL_SIZE -1,
> we can not just truncating the label and return it in this case.
> Add BUG_ON(strlen(label) > BTRFS_LABEL_SIZE - 1) is reasonable instead.
Don't allow users to attack the kernel! This would add a severe security
issue. A BUG_ON() is something that you can use before the code would
crash anyway, to prevent any additional damage and to help in debugging.
A BUG() is not a method to report or handle user errors.
A Linux system is supposed to run until it is shutdown by the
administrator, not until somebody inserts an USB stick.
next prev parent reply other threads:[~2012-12-21 8:49 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-20 8:43 [RFC PATCH v7 0/2] Btrfs: get/set label of a mounted file system Jeff Liu
2012-12-20 8:43 ` [RFC PATCH v7 1/2] Btrfs: Add a new ioctl to get the " Jeff Liu
2012-12-20 20:18 ` Goffredo Baroncelli
2012-12-21 6:42 ` Jeff Liu
2012-12-21 8:50 ` Stefan Behrens [this message]
2012-12-21 17:36 ` Goffredo Baroncelli
2012-12-24 8:07 ` Jeff Liu
2012-12-24 13:46 ` Goffredo Baroncelli
2012-12-24 15:10 ` Jeff Liu
2012-12-20 8:43 ` [RFC PATCH v7 2/2] Btrfs: Add a new ioctl to set/change " Jeff Liu
2012-12-20 20:19 ` Goffredo Baroncelli
2012-12-27 17:34 ` David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50D422BB.3080204@giantdisaster.de \
--to=sbehrens@giantdisaster.de \
--cc=anand.jain@oracle.com \
--cc=dsterba@suse.cz \
--cc=jeff.liu@oracle.com \
--cc=kreijack@inwind.it \
--cc=linux-btrfs@vger.kernel.org \
--cc=miaox@cn.fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).