From: Qu Wenruo <quwenruo.btrfs@gmx.com>
To: Qu Wenruo <wqu@suse.com>, linux-btrfs@vger.kernel.org
Subject: Re: [PATCH 0/6] btrfs: Enhance tree checker and runtime checker to handle the new wave of fuzzed image attack
Date: Wed, 13 Mar 2019 17:01:12 +0800 [thread overview]
Message-ID: <5f3e48b8-3998-409a-2fc7-af2481b52c0f@gmx.com> (raw)
In-Reply-To: <20190313085511.23540-1-wqu@suse.com>
[-- Attachment #1.1: Type: text/plain, Size: 2440 bytes --]
Just forgot the repo:
It can be fetched from github:
https://github.com/adam900710/linux/tree/tree_checker_enhancement
Which is based on my previous write time tree checker patchset.
Although the patchset itself can also be applied to v5.0-rc7 tag without
manual modification.
Thanks,
Qu
On 2019/3/13 下午4:55, Qu Wenruo wrote:
> Thanks for the report from Yoon Jungyeon <jungyeon@gatech.edu>, we have
> more fuzzed image to torture btrfs.
>
> Those images exposed the following problems:
>
> - Chunk check is not comprehensive nor early enough
> Chunk item check lacks profile bits check (e.g RAID|DUP profile is
> invalid).
> And for certain fuzzed image, the other copy can be valid, current
> check timming is after tree block read, so no way to retry the other
> copy.
>
> Address the check timing in the 1st patch, while for the profile bits,
> check it in the 4th patch.
>
> - Lack of device item check
> Address it in the 2nd patch.
>
> - First key and level check be exploited by cached extent buffer
> Cached bad extent buffer can avoid first key and level check.
> This is addressed in the 3rd patch.
>
> - Inode type mismatch can lead to NULL dereference in endio function
> If an inode claims itself as symlink but still has regular file
> extent, then endio function will cause NULL pointer dereference.
> Fix it by do extra inode mode and dir item type cross check, at
> get_extent() time and inode lookup time.
> Addressed in the 5th and 6th patch.
>
> Qu Wenruo (6):
> btrfs: tree-checker: Verify chunk items
> btrfs: tree-checker: Verify dev item
> btrfs: Check the first key and level for cached extent buffer
> btrfs: tree-checker: Enhance chunk checker to validate chunk profiler
> btrfs: tree-checker: Verify inode item
> btrfs: inode: Verify inode mode to avoid NULL pointer dereference
>
> fs/btrfs/ctree.c | 10 +
> fs/btrfs/ctree.h | 2 +
> fs/btrfs/disk-io.c | 10 +-
> fs/btrfs/disk-io.h | 3 +
> fs/btrfs/inode.c | 38 +++-
> fs/btrfs/tests/inode-tests.c | 1 +
> fs/btrfs/tree-checker.c | 342 +++++++++++++++++++++++++++++++++++
> fs/btrfs/tree-checker.h | 3 +
> fs/btrfs/volumes.c | 103 +----------
> fs/btrfs/volumes.h | 9 +
> 10 files changed, 406 insertions(+), 115 deletions(-)
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2019-03-13 9:01 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-13 8:55 [PATCH 0/6] btrfs: Enhance tree checker and runtime checker to handle the new wave of fuzzed image attack Qu Wenruo
2019-03-13 8:55 ` [PATCH 1/6] btrfs: tree-checker: Verify chunk items Qu Wenruo
2019-03-13 9:19 ` Nikolay Borisov
2019-03-19 14:50 ` David Sterba
2019-03-20 0:46 ` Qu Wenruo
2019-03-20 5:03 ` Qu Wenruo
2019-03-13 8:55 ` [PATCH 2/6] btrfs: tree-checker: Verify dev item Qu Wenruo
2019-03-13 9:19 ` Nikolay Borisov
2019-03-13 8:55 ` [PATCH 3/6] btrfs: Check the first key and level for cached extent buffer Qu Wenruo
2019-03-13 9:24 ` Nikolay Borisov
2019-03-13 8:55 ` [PATCH 4/6] btrfs: tree-checker: Enhance chunk checker to validate chunk profiler Qu Wenruo
2019-03-13 9:18 ` Nikolay Borisov
2019-03-13 8:55 ` [PATCH 5/6] btrfs: tree-checker: Verify inode item Qu Wenruo
2019-03-13 9:28 ` Nikolay Borisov
2019-03-13 8:55 ` [PATCH 6/6] btrfs: inode: Verify inode mode to avoid NULL pointer dereference Qu Wenruo
2019-03-13 9:41 ` Nikolay Borisov
2019-03-13 9:01 ` Qu Wenruo [this message]
2019-03-19 15:34 ` [PATCH 0/6] btrfs: Enhance tree checker and runtime checker to handle the new wave of fuzzed image attack David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5f3e48b8-3998-409a-2fc7-af2481b52c0f@gmx.com \
--to=quwenruo.btrfs@gmx.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=wqu@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).