From: Jan Kara <jack@suse.cz>
To: Baokun Li <libaokun1@huawei.com>
Cc: Jan Kara <jack@suse.cz>,
linux-ext4@vger.kernel.org, tytso@mit.edu,
adilger.kernel@dilger.ca, ritesh.list@gmail.com,
linux-kernel@vger.kernel.org, yi.zhang@huawei.com,
yangerkun@huawei.com, chengzhihao1@huawei.com,
yukuai3@huawei.com
Subject: Re: [PATCH 1/7] ext4: avoid overflow when setting values via sysfs
Date: Fri, 23 Feb 2024 12:54:43 +0100 [thread overview]
Message-ID: <20240223115443.spaztzcv7llmfl77@quack3> (raw)
In-Reply-To: <81081ec9-3aab-ecd1-c2f6-9a3835ea4fda@huawei.com>
On Sat 17-02-24 15:09:06, Baokun Li wrote:
> On 2024/2/14 0:05, Jan Kara wrote:
> > On Fri 26-01-24 16:57:10, Baokun Li wrote:
> > > When setting values of type unsigned int through sysfs, we use kstrtoul()
> > > to parse it and then truncate part of it as the final set value, when the
> > > set value is greater than UINT_MAX, the set value will not match what we
> > > see because of the truncation. As follows:
> > >
> > > $ echo 4294967296 > /sys/fs/ext4/sda/mb_max_linear_groups
> > > $ cat /sys/fs/ext4/sda/mb_max_linear_groups
> > > 0
> > >
> > > So when the value set is outside the variable type range, -EINVAL is
> > > returned to avoid the inconsistency described above. In addition, a
> > > judgment is added to avoid setting s_resv_clusters less than 0.
> > >
> > > Signed-off-by: Baokun Li <libaokun1@huawei.com>
> > > ---
> > > fs/ext4/sysfs.c | 4 +++-
> > > 1 file changed, 3 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/fs/ext4/sysfs.c b/fs/ext4/sysfs.c
> > > index 6d332dff79dd..3671a8aaf4af 100644
> > > --- a/fs/ext4/sysfs.c
> > > +++ b/fs/ext4/sysfs.c
> > > @@ -104,7 +104,7 @@ static ssize_t reserved_clusters_store(struct ext4_sb_info *sbi,
> > > int ret;
> > > ret = kstrtoull(skip_spaces(buf), 0, &val);
> > > - if (ret || val >= clusters)
> > > + if (ret || val >= clusters || (s64)val < 0)
> > > return -EINVAL;
> > This looks a bit pointless, doesn't it? 'val' is u64, clusters is u64. We
> > know that val < clusters so how could (s64)val be < 0?
> When clusters is bigger than LLONG_MAX, (s64)val may be less than 0.
> Of course we don't have such a large storage device yet, so it's only
> theoretically possible to overflow here. But the previous patches in this
> patch set were intended to ensure that the values set via sysfs did not
> exceed the range of the variable type, so I've modified that here as well.
Well, my point was that the on disk format is limited to much less than
2^63 blocks. But I guess having the additional check does not matter.
> > > @@ -463,6 +463,8 @@ static ssize_t ext4_attr_store(struct kobject *kobj,
> > > ret = kstrtoul(skip_spaces(buf), 0, &t);
> > > if (ret)
> > > return ret;
> > > + if (t != (unsigned int)t)
> > > + return -EINVAL;
> > > if (a->attr_ptr == ptr_ext4_super_block_offset)
> > > *((__le32 *) ptr) = cpu_to_le32(t);
> > > else
> > I kind of agree with Alexey that using kstrtouint() here instead would look
> > nicer. And it isn't like you have to define many new variables. You just
> > need unsigned long for attr_pointer_ul and unsigned int for
> > attr_pointer_ui.
>
> If we use both kstrtouint() and kstrtoul(), then we need to add
> kstrtouint() or kstrtoul() to each case, which would be a lot of
> duplicate code as follows:
Well, it is 5 more lines if I'm counting right :) (3x 3 lines of conversion
- 2x 2 lines of boundary checks). I kind of find it easier to oversee the
boundary checks when everything is together at each parameter. But frankly
this is a bit of nitpicking so if you feel strongly about this I won't
insist.
> static ssize_t ext4_generic_attr_store(struct ext4_attr *a,
> struct ext4_sb_info *sbi,
> const char *buf, size_t len)
> {
> int ret;
> unsigned int t;
> unsigned long lt;
> void *ptr = calc_ptr(a, sbi);
>
> if (!ptr)
> return 0;
>
> switch (a->attr_id) {
> case attr_group_prealloc:
> ret = kstrtouint(skip_spaces(buf), 0, &t);
> if (ret)
> return ret;
> if (t > sbi->s_clusters_per_group)
> return -EINVAL;
> return len;
> case attr_pointer_pi:
> ret = kstrtouint(skip_spaces(buf), 0, &t);
> if (ret)
> return ret;
> if ((int)t < 0)
> return -EINVAL;
> return len;
> case attr_pointer_ui:
> ret = kstrtouint(skip_spaces(buf), 0, &t);
> if (ret)
> return ret;
> if (t != (unsigned int)t)
> return -EINVAL;
^^^ this can go away
> if (a->attr_ptr == ptr_ext4_super_block_offset)
> *((__le32 *) ptr) = cpu_to_le32(t);
> else
> *((unsigned int *) ptr) = t;
> return len;
> case attr_pointer_ul:
> ret = kstrtoul(skip_spaces(buf), 0, <);
> if (ret)
> return ret;
> *((unsigned long *) ptr) = lt;
> return len;
> }
> return 0;
>
> }
>
> Also, both kstrtouint() and kstrtoul() are based on the kstrtoull()
> implementation, so it feels better to opencode kstrtoul() and
> kstrtouint() to reduce duplicate code.
> Why is it better to distinguish uint and ulong cases here?
Hopefully explained above :)
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
next prev parent reply other threads:[~2024-02-23 11:54 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-26 8:57 [PATCH 0/7] ext4: avoid sysfs variables overflow causing BUG_ON/SOOB Baokun Li
2024-01-26 8:57 ` [PATCH 1/7] ext4: avoid overflow when setting values via sysfs Baokun Li
2024-01-26 9:28 ` Zhang Yi
2024-02-13 16:05 ` Jan Kara
2024-02-17 7:09 ` Baokun Li
2024-02-23 11:54 ` Jan Kara [this message]
2024-02-24 1:59 ` Baokun Li
2024-01-26 8:57 ` [PATCH 2/7] ext4: refactor out ext4_generic_attr_store() Baokun Li
2024-01-26 9:37 ` Zhang Yi
2024-02-13 16:47 ` Jan Kara
2024-01-26 8:57 ` [PATCH 3/7] ext4: refactor out ext4_generic_attr_show() Baokun Li
2024-01-26 10:08 ` Zhang Yi
2024-02-13 16:44 ` Jan Kara
2024-01-26 8:57 ` [PATCH 4/7] ext4: add positive int attr pointer to avoid sysfs variables overflow Baokun Li
2024-01-27 2:07 ` Zhang Yi
2024-02-13 16:58 ` Jan Kara
2024-02-17 7:41 ` Baokun Li
2024-02-23 12:05 ` Jan Kara
2024-02-24 2:46 ` Baokun Li
2024-01-26 8:57 ` [PATCH 5/7] ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists() Baokun Li
2024-01-27 2:09 ` Zhang Yi
2024-02-13 16:14 ` Jan Kara
2024-02-20 5:39 ` Ojaswin Mujoo
2024-02-20 6:31 ` Baokun Li
2024-01-26 8:57 ` [PATCH 6/7] ext4: set type of ac_groups_linear_remaining to __u32 to avoid overflow Baokun Li
2024-01-27 2:10 ` Zhang Yi
2024-02-13 16:15 ` Jan Kara
2024-01-26 8:57 ` [PATCH 7/7] ext4: set the type of max_zeroout to unsigned int " Baokun Li
2024-01-27 2:12 ` Zhang Yi
2024-02-13 16:38 ` Jan Kara
2024-02-17 7:45 ` Baokun Li
-- strict thread matches above, loose matches on Subject: below --
2024-01-27 9:44 [PATCH 1/7] ext4: avoid overflow when setting values via sysfs Alexey Dobriyan
2024-01-27 10:44 ` Baokun Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240223115443.spaztzcv7llmfl77@quack3 \
--to=jack@suse.cz \
--cc=adilger.kernel@dilger.ca \
--cc=chengzhihao1@huawei.com \
--cc=libaokun1@huawei.com \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ritesh.list@gmail.com \
--cc=tytso@mit.edu \
--cc=yangerkun@huawei.com \
--cc=yi.zhang@huawei.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox