From: Nikolay Borisov <nborisov@suse.com>
To: Qu Wenruo <wqu@suse.com>, linux-btrfs@vger.kernel.org
Subject: Re: [PATCH 5/6] btrfs: tree-checker: Verify inode item
Date: Wed, 13 Mar 2019 11:28:22 +0200 [thread overview]
Message-ID: <53f3d158-c7bd-d3ae-f7ca-93d59f5a76a6@suse.com> (raw)
In-Reply-To: <20190313085511.23540-6-wqu@suse.com>
On 13.03.19 г. 10:55 ч., Qu Wenruo wrote:
> There is a report in kernel bugzilla about mismatch file type in dir
> item and inode item.
>
> This inspires us to check inode mode in inode item.
>
> This patch will check the following members:
> - inode key objectid
> Should be ROOT_DIR_DIR or [256, (u64)-256] or FREE_INO.
>
> - inode key offset
> Should be 0
>
> - inode item generation
> - inode item transid
> No newer than sb generation + 1.
> The +1 is for log tree.
>
> - inode item mode
> No unknown bits.
> No invalid S_IF* bit.
> NOTE: S_IFMT check is not enough, need extra check for it.
>
> - inode item nlink
> Dir should have no more link than 1.
>
> - inode item flags
>
> Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
> ---
> fs/btrfs/ctree.h | 2 +
> fs/btrfs/tree-checker.c | 99 +++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 101 insertions(+)
>
> diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
> index 7a2a2621f0d9..f002c63a34e3 100644
> --- a/fs/btrfs/ctree.h
> +++ b/fs/btrfs/ctree.h
> @@ -1504,6 +1504,8 @@ do { \
> #define BTRFS_INODE_COMPRESS (1 << 11)
>
> #define BTRFS_INODE_ROOT_ITEM_INIT (1 << 31)
> +#define BTRFS_INODE_FLAG_MASK (((1 << 12) - 1) |\
> + BTRFS_INODE_ROOT_ITEM_INIT)
>
> struct btrfs_map_token {
> const struct extent_buffer *eb;
> diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
> index c08609627720..4b178ef1a9e7 100644
> --- a/fs/btrfs/tree-checker.c
> +++ b/fs/btrfs/tree-checker.c
> @@ -682,6 +682,102 @@ static int check_dev_item(struct btrfs_fs_info *fs_info,
> return -EUCLEAN;
> }
>
> +/* Inode item error output has the same format as dir_item_err() */
> +#define inode_item_err(fs_info, eb, slot, fmt, ...) \
> + dir_item_err(fs_info, eb, slot, fmt, __VA_ARGS__)
> +
> +static int check_inode_item(struct btrfs_fs_info *fs_info,
> + struct extent_buffer *leaf,
> + struct btrfs_key *key, int slot)
> +{
> + struct btrfs_inode_item *iitem;
> + u64 super_gen = btrfs_super_generation(fs_info->super_copy);
> + u32 valid_mask = (S_IFMT | S_ISUID | S_ISGID | S_ISVTX | 0777);
> + u32 mode;
> +
> + if ((key->objectid < BTRFS_FIRST_FREE_OBJECTID ||
> + key->objectid > BTRFS_LAST_FREE_OBJECTID) &&
> + key->objectid != BTRFS_ROOT_TREE_DIR_OBJECTID &&
> + key->objectid != BTRFS_FREE_INO_OBJECTID) {
> + generic_err(fs_info, leaf, slot,
> + "invalid key objectid: has %llu expect %llu or [%llu, %llu] or %llu",
> + key->objectid, BTRFS_ROOT_TREE_DIR_OBJECTID,
> + BTRFS_FIRST_FREE_OBJECTID,
> + BTRFS_LAST_FREE_OBJECTID,
> + BTRFS_FREE_INO_OBJECTID);
> + goto error;
> + }
> + if (key->offset != 0) {
> + inode_item_err(fs_info, leaf, slot,
> + "invalid key offset: has %llu expect 0",
> + key->offset);
> + goto error;
> + }
> + iitem = btrfs_item_ptr(leaf, slot, struct btrfs_inode_item);
> +
> + /* Here we use super block generation + 1 to handle log tree */
> + if (btrfs_inode_generation(leaf, iitem) > super_gen + 1) {
> + inode_item_err(fs_info, leaf, slot,
> + "invalid inode generation: has %llu expect (0, %llu]",
> + btrfs_inode_generation(leaf, iitem),
> + super_gen + 1);
> + goto error;
> + }
> + /* Note for ROOT_TREE_DIR_ITEM, mkfs could make its transid as 0 */
> + if (btrfs_inode_transid(leaf, iitem) > super_gen + 1) {
> + inode_item_err(fs_info, leaf, slot,
> + "invalid inode generation: has %llu expect [0, %llu]",
> + btrfs_inode_transid(leaf, iitem),
> + super_gen + 1);
> + goto error;
> + }
> +
> + /*
> + * For size and nbytes it's better not to be too strict, as for dir
> + * item its size/nbytes can easily get wrong, but doesn't affect
> + * any thing of the fs. So here we skip the check.
> + */
> +
> + mode = btrfs_inode_mode(leaf, iitem);
> + if (mode & ~valid_mask) {
> + inode_item_err(fs_info, leaf, slot,
> + "unknown mode bit detected: 0x%x",
> + mode & ~valid_mask);
> + goto error;
> + }
> +
> + /*
> + * S_IFMT is not bit mapped so we can't completely rely is_power_of_2(),
> + * but is_power_of_2() can save us from checking FIFO/CHR/DIR/REG.
> + * Only needs to check BLK, LNK and SOCKS
> + */
> + if (!is_power_of_2(mode & S_IFMT)) {
> + if (!S_ISLNK(mode) && ! S_ISBLK(mode) && !S_ISSOCK(mode)) {
> + inode_item_err(fs_info, leaf, slot,
> + "invalid mode: has 0%o expect valid S_IF* bit(s)",
> + mode & S_IFMT);
> + goto error;
> + }
> + }
> + if (S_ISDIR(mode) && btrfs_inode_nlink(leaf, iitem) > 1) {
> + inode_item_err(fs_info, leaf, slot,
> + "invalid nlink: has %u expect no more than 1 for dir",
> + btrfs_inode_nlink(leaf, iitem));
> + goto error;
> + }
> + if (btrfs_inode_flags(leaf, iitem) & ~BTRFS_INODE_FLAG_MASK) {
> + inode_item_err(fs_info, leaf, slot,
> + "unknown flags detected: 0x%llx",
> + btrfs_inode_flags(leaf, iitem) &
> + ~BTRFS_INODE_FLAG_MASK);
> + goto error;
> + }
> + return 0;
> +
> +error:
> + return -EUCLEAN;
> +}
> +
> /*
> * Common point to switch the item-specific validation.
> */
> @@ -715,6 +811,9 @@ static int check_leaf_item(struct btrfs_fs_info *fs_info,
> case BTRFS_DEV_ITEM_KEY:
> ret = check_dev_item(fs_info, leaf, key, slot);
> break;
> + case BTRFS_INODE_ITEM_KEY:
> + ret = check_inode_item(fs_info, leaf, key, slot);
> + break;
> }
> return ret;
> }
>
next prev parent reply other threads:[~2019-03-13 9:28 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-13 8:55 [PATCH 0/6] btrfs: Enhance tree checker and runtime checker to handle the new wave of fuzzed image attack Qu Wenruo
2019-03-13 8:55 ` [PATCH 1/6] btrfs: tree-checker: Verify chunk items Qu Wenruo
2019-03-13 9:19 ` Nikolay Borisov
2019-03-19 14:50 ` David Sterba
2019-03-20 0:46 ` Qu Wenruo
2019-03-20 5:03 ` Qu Wenruo
2019-03-13 8:55 ` [PATCH 2/6] btrfs: tree-checker: Verify dev item Qu Wenruo
2019-03-13 9:19 ` Nikolay Borisov
2019-03-13 8:55 ` [PATCH 3/6] btrfs: Check the first key and level for cached extent buffer Qu Wenruo
2019-03-13 9:24 ` Nikolay Borisov
2019-03-13 8:55 ` [PATCH 4/6] btrfs: tree-checker: Enhance chunk checker to validate chunk profiler Qu Wenruo
2019-03-13 9:18 ` Nikolay Borisov
2019-03-13 8:55 ` [PATCH 5/6] btrfs: tree-checker: Verify inode item Qu Wenruo
2019-03-13 9:28 ` Nikolay Borisov [this message]
2019-03-13 8:55 ` [PATCH 6/6] btrfs: inode: Verify inode mode to avoid NULL pointer dereference Qu Wenruo
2019-03-13 9:41 ` Nikolay Borisov
2019-03-13 9:01 ` [PATCH 0/6] btrfs: Enhance tree checker and runtime checker to handle the new wave of fuzzed image attack Qu Wenruo
2019-03-19 15:34 ` David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53f3d158-c7bd-d3ae-f7ca-93d59f5a76a6@suse.com \
--to=nborisov@suse.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=wqu@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).