* [PATCH] f2fs: add additional sanity check in f2fs_acl_from_disk()
@ 2018-08-30 13:33 Chengguang Xu
2018-08-30 15:41 ` Chao Yu
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Chengguang Xu @ 2018-08-30 13:33 UTC (permalink / raw)
To: jaegeuk, yuchao0; +Cc: Chengguang Xu, linux-f2fs-devel
Add additinal sanity check for irregular case(e.g. corruption).
If size of extended attribution is smaller than size of acl header,
then return -EINVAL.
Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
---
fs/f2fs/acl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
index 111824199a88..79e9ea773070 100644
--- a/fs/f2fs/acl.c
+++ b/fs/f2fs/acl.c
@@ -53,6 +53,9 @@ static struct posix_acl *f2fs_acl_from_disk(const char *value, size_t size)
struct f2fs_acl_entry *entry = (struct f2fs_acl_entry *)(hdr + 1);
const char *end = value + size;
+ if (size < sizeof(f2fs_acl_header))
+ return ERR_PTR(-EINVAL);
+
if (hdr->a_version != cpu_to_le32(F2FS_ACL_VERSION))
return ERR_PTR(-EINVAL);
--
2.17.1
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
^ permalink raw reply related [flat|nested] 10+ messages in thread* Re: [PATCH] f2fs: add additional sanity check in f2fs_acl_from_disk()
2018-08-30 13:33 [PATCH] f2fs: add additional sanity check in f2fs_acl_from_disk() Chengguang Xu
@ 2018-08-30 15:41 ` Chao Yu
2018-08-30 16:19 ` cgxu519
2018-08-31 12:17 ` Chao Yu
2018-09-05 4:28 ` Jaegeuk Kim
2 siblings, 1 reply; 10+ messages in thread
From: Chao Yu @ 2018-08-30 15:41 UTC (permalink / raw)
To: Chengguang Xu, jaegeuk, yuchao0; +Cc: linux-f2fs-devel
Hi Chengguang,
On 2018/8/30 21:33, Chengguang Xu wrote:
> Add additinal sanity check for irregular case(e.g. corruption).
> If size of extended attribution is smaller than size of acl header,
> then return -EINVAL.
>
> Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
> ---
> fs/f2fs/acl.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
> index 111824199a88..79e9ea773070 100644
> --- a/fs/f2fs/acl.c
> +++ b/fs/f2fs/acl.c
> @@ -53,6 +53,9 @@ static struct posix_acl *f2fs_acl_from_disk(const char *value, size_t size)
> struct f2fs_acl_entry *entry = (struct f2fs_acl_entry *)(hdr + 1);
> const char *end = value + size;
>
> + if (size < sizeof(f2fs_acl_header))
> + return ERR_PTR(-EINVAL);
I guess below codes have checked that already?
count = f2fs_acl_count(size);
if (count < 0)
return ERR_PTR(-EINVAL);
Thanks,
> +
> if (hdr->a_version != cpu_to_le32(F2FS_ACL_VERSION))
> return ERR_PTR(-EINVAL);
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] f2fs: add additional sanity check in f2fs_acl_from_disk()
2018-08-30 15:41 ` Chao Yu
@ 2018-08-30 16:19 ` cgxu519
2018-08-31 7:02 ` Chao Yu
0 siblings, 1 reply; 10+ messages in thread
From: cgxu519 @ 2018-08-30 16:19 UTC (permalink / raw)
To: Chao Yu, jaegeuk, yuchao0; +Cc: linux-f2fs-devel
On 08/30/2018 11:41 PM, Chao Yu wrote:
> Hi Chengguang,
>
> On 2018/8/30 21:33, Chengguang Xu wrote:
>> Add additinal sanity check for irregular case(e.g. corruption).
>> If size of extended attribution is smaller than size of acl header,
>> then return -EINVAL.
>>
>> Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
>> ---
>> fs/f2fs/acl.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
>> index 111824199a88..79e9ea773070 100644
>> --- a/fs/f2fs/acl.c
>> +++ b/fs/f2fs/acl.c
>> @@ -53,6 +53,9 @@ static struct posix_acl *f2fs_acl_from_disk(const char *value, size_t size)
>> struct f2fs_acl_entry *entry = (struct f2fs_acl_entry *)(hdr + 1);
>> const char *end = value + size;
>>
>> + if (size < sizeof(f2fs_acl_header))
>> + return ERR_PTR(-EINVAL);
> I guess below codes have checked that already?
>
> count = f2fs_acl_count(size);
> if (count < 0)
> return ERR_PTR(-EINVAL);
Hi Chao,
Thanks for prompt reply.
I still think in a rare case, it can pass the check in f2fs_acl_count()
and cause unexpected behavior.
For example, like below code path in f2fs_acl_count().
-> if (s < 0) {
if (size % sizeof(struct f2fs_acl_entry_short))
return -1;
-> return size / sizeof(struct f2fs_acl_entry_short);
}
Thanks,
Chengguang
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [PATCH] f2fs: add additional sanity check in f2fs_acl_from_disk()
2018-08-30 16:19 ` cgxu519
@ 2018-08-31 7:02 ` Chao Yu
2018-08-31 11:40 ` Chengguang Xu
0 siblings, 1 reply; 10+ messages in thread
From: Chao Yu @ 2018-08-31 7:02 UTC (permalink / raw)
To: cgxu519, Chao Yu, jaegeuk; +Cc: linux-f2fs-devel
On 2018/8/31 0:19, cgxu519 wrote:
>
> On 08/30/2018 11:41 PM, Chao Yu wrote:
>> Hi Chengguang,
>>
>> On 2018/8/30 21:33, Chengguang Xu wrote:
>>> Add additinal sanity check for irregular case(e.g. corruption).
>>> If size of extended attribution is smaller than size of acl header,
>>> then return -EINVAL.
>>>
>>> Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
>>> ---
>>> fs/f2fs/acl.c | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
>>> index 111824199a88..79e9ea773070 100644
>>> --- a/fs/f2fs/acl.c
>>> +++ b/fs/f2fs/acl.c
>>> @@ -53,6 +53,9 @@ static struct posix_acl *f2fs_acl_from_disk(const char *value, size_t size)
>>> struct f2fs_acl_entry *entry = (struct f2fs_acl_entry *)(hdr + 1);
>>> const char *end = value + size;
>>>
>>> + if (size < sizeof(f2fs_acl_header))
>>> + return ERR_PTR(-EINVAL);
>> I guess below codes have checked that already?
>>
>> count = f2fs_acl_count(size);
>> if (count < 0)
>> return ERR_PTR(-EINVAL);
>
> Hi Chao,
>
> Thanks for prompt reply.
>
> I still think in a rare case, it can pass the check in f2fs_acl_count()
> and cause unexpected behavior.
>
> For example, like below code path in f2fs_acl_count().
if size < sizeof(f2fs_acl_header)
size -= sizeof(struct f2fs_acl_header);
size should be smaller than zero, right?
>
> -> if (s < 0) {
> if (size % sizeof(struct f2fs_acl_entry_short))
> return -1;
> -> return size / sizeof(struct f2fs_acl_entry_short);
So the return value should be smaller than zero?
Thanks,
> }
>
>
> Thanks,
> Chengguang
>
>
>
>
>
>
>
>
>
>
>
>
> .
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [PATCH] f2fs: add additional sanity check in f2fs_acl_from_disk()
2018-08-31 7:02 ` Chao Yu
@ 2018-08-31 11:40 ` Chengguang Xu
2018-08-31 12:16 ` Chao Yu
0 siblings, 1 reply; 10+ messages in thread
From: Chengguang Xu @ 2018-08-31 11:40 UTC (permalink / raw)
To: Chao Yu; +Cc: jaegeuk, linux-f2fs-devel
On 2018/8/31 at 下午3:02, Chao Yu wrote:
> On 2018/8/31 0:19, cgxu519 wrote:
> >
> > On 08/30/2018 11:41 PM, Chao Yu wrote:
> >> Hi Chengguang,
> >>
> >> On 2018/8/30 21:33, Chengguang Xu wrote:
> >>> Add additinal sanity check for irregular case(e.g. corruption).
> >>> If size of extended attribution is smaller than size of acl header,
> >>> then return -EINVAL.
> >>>
> >>> Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
> >>> ---
> >>> fs/f2fs/acl.c | 3 +++
> >>> 1 file changed, 3 insertions(+)
> >>>
> >>> diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
> >>> index 111824199a88..79e9ea773070 100644
> >>> --- a/fs/f2fs/acl.c
> >>> +++ b/fs/f2fs/acl.c
> >>> @@ -53,6 +53,9 @@ static struct posix_acl *f2fs_acl_from_disk(const char *value, size_t size)
> >>> struct f2fs_acl_entry *entry = (struct f2fs_acl_entry *)(hdr + 1);
> >>> const char *end = value + size;
> >>>
> >>> + if (size < sizeof(f2fs_acl_header))
> >>> + return ERR_PTR(-EINVAL);
> >> I guess below codes have checked that already?
> >>
> >> count = f2fs_acl_count(size);
> >> if (count < 0)
> >> return ERR_PTR(-EINVAL);
> >
> > Hi Chao,
> >
> > Thanks for prompt reply.
> >
> > I still think in a rare case, it can pass the check in f2fs_acl_count()
> > and cause unexpected behavior.
> >
> > For example, like below code path in f2fs_acl_count().
>
> if size < sizeof(f2fs_acl_header)
>
> size -= sizeof(struct f2fs_acl_header);
>
> size should be smaller than zero, right?
>
> >
> > -> if (s < 0) {
> > if (size % sizeof(struct f2fs_acl_entry_short))
> > return -1;
> > -> return size / sizeof(struct f2fs_acl_entry_short);
>
> So the return value should be smaller than zero?
size is unsigned so the return value will not be negative here.
Thanks,
Chengguang
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [PATCH] f2fs: add additional sanity check in f2fs_acl_from_disk()
2018-08-31 11:40 ` Chengguang Xu
@ 2018-08-31 12:16 ` Chao Yu
0 siblings, 0 replies; 10+ messages in thread
From: Chao Yu @ 2018-08-31 12:16 UTC (permalink / raw)
To: Chengguang Xu; +Cc: jaegeuk, linux-f2fs-devel
On 2018/8/31 19:40, Chengguang Xu wrote:
>
>
> On 2018/8/31 at 下午3:02, Chao Yu wrote:
>
>> On 2018/8/31 0:19, cgxu519 wrote:
>>>
>>> On 08/30/2018 11:41 PM, Chao Yu wrote:
>>>> Hi Chengguang,
>>>>
>>>> On 2018/8/30 21:33, Chengguang Xu wrote:
>>>>> Add additinal sanity check for irregular case(e.g. corruption).
>>>>> If size of extended attribution is smaller than size of acl header,
>>>>> then return -EINVAL.
>>>>>
>>>>> Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
>>>>> ---
>>>>> fs/f2fs/acl.c | 3 +++
>>>>> 1 file changed, 3 insertions(+)
>>>>>
>>>>> diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
>>>>> index 111824199a88..79e9ea773070 100644
>>>>> --- a/fs/f2fs/acl.c
>>>>> +++ b/fs/f2fs/acl.c
>>>>> @@ -53,6 +53,9 @@ static struct posix_acl *f2fs_acl_from_disk(const char *value, size_t size)
>>>>> struct f2fs_acl_entry *entry = (struct f2fs_acl_entry *)(hdr + 1);
>>>>> const char *end = value + size;
>>>>>
>>>>> + if (size < sizeof(f2fs_acl_header))
>>>>> + return ERR_PTR(-EINVAL);
>>>> I guess below codes have checked that already?
>>>>
>>>> count = f2fs_acl_count(size);
>>>> if (count < 0)
>>>> return ERR_PTR(-EINVAL);
>>>
>>> Hi Chao,
>>>
>>> Thanks for prompt reply.
>>>
>>> I still think in a rare case, it can pass the check in f2fs_acl_count()
>>> and cause unexpected behavior.
>>>
>>> For example, like below code path in f2fs_acl_count().
>>
>> if size < sizeof(f2fs_acl_header)
>>
>> size -= sizeof(struct f2fs_acl_header);
>>
>> size should be smaller than zero, right?
>>
>>>
>>> -> if (s < 0) {
>>> if (size % sizeof(struct f2fs_acl_entry_short))
>>> return -1;
>>> -> return size / sizeof(struct f2fs_acl_entry_short);
>>
>> So the return value should be smaller than zero?
>
> size is unsigned so the return value will not be negative here.
You're right, I misread size_t as ssize_t, sorry.
Thanks,
>
> Thanks,
> Chengguang
>
> .
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] f2fs: add additional sanity check in f2fs_acl_from_disk()
2018-08-30 13:33 [PATCH] f2fs: add additional sanity check in f2fs_acl_from_disk() Chengguang Xu
2018-08-30 15:41 ` Chao Yu
@ 2018-08-31 12:17 ` Chao Yu
2018-09-05 4:28 ` Jaegeuk Kim
2 siblings, 0 replies; 10+ messages in thread
From: Chao Yu @ 2018-08-31 12:17 UTC (permalink / raw)
To: Chengguang Xu, jaegeuk; +Cc: linux-f2fs-devel
On 2018/8/30 21:33, Chengguang Xu wrote:
> Add additinal sanity check for irregular case(e.g. corruption).
> If size of extended attribution is smaller than size of acl header,
> then return -EINVAL.
>
> Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Thanks,
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] f2fs: add additional sanity check in f2fs_acl_from_disk()
2018-08-30 13:33 [PATCH] f2fs: add additional sanity check in f2fs_acl_from_disk() Chengguang Xu
2018-08-30 15:41 ` Chao Yu
2018-08-31 12:17 ` Chao Yu
@ 2018-09-05 4:28 ` Jaegeuk Kim
2018-09-05 5:54 ` Chao Yu
2 siblings, 1 reply; 10+ messages in thread
From: Jaegeuk Kim @ 2018-09-05 4:28 UTC (permalink / raw)
To: Chengguang Xu; +Cc: linux-f2fs-devel
On 08/30, Chengguang Xu wrote:
> Add additinal sanity check for irregular case(e.g. corruption).
> If size of extended attribution is smaller than size of acl header,
> then return -EINVAL.
>
> Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
> ---
> fs/f2fs/acl.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
> index 111824199a88..79e9ea773070 100644
> --- a/fs/f2fs/acl.c
> +++ b/fs/f2fs/acl.c
> @@ -53,6 +53,9 @@ static struct posix_acl *f2fs_acl_from_disk(const char *value, size_t size)
> struct f2fs_acl_entry *entry = (struct f2fs_acl_entry *)(hdr + 1);
> const char *end = value + size;
>
> + if (size < sizeof(f2fs_acl_header))
sizeof(struct f2fs_acl_header)
I fixed the above, and merged.
Thanks,
> + return ERR_PTR(-EINVAL);
> +
> if (hdr->a_version != cpu_to_le32(F2FS_ACL_VERSION))
> return ERR_PTR(-EINVAL);
>
> --
> 2.17.1
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] f2fs: add additional sanity check in f2fs_acl_from_disk()
2018-09-05 4:28 ` Jaegeuk Kim
@ 2018-09-05 5:54 ` Chao Yu
2018-09-05 16:59 ` Jaegeuk Kim
0 siblings, 1 reply; 10+ messages in thread
From: Chao Yu @ 2018-09-05 5:54 UTC (permalink / raw)
To: Jaegeuk Kim, Chengguang Xu; +Cc: linux-f2fs-devel
Hi Jaegeuk,
Could you update dev-test branch? so I can rebase my patch on it. :)
On 2018/9/5 12:28, Jaegeuk Kim wrote:
> On 08/30, Chengguang Xu wrote:
>> Add additinal sanity check for irregular case(e.g. corruption).
>> If size of extended attribution is smaller than size of acl header,
>> then return -EINVAL.
>>
>> Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
>> ---
>> fs/f2fs/acl.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
>> index 111824199a88..79e9ea773070 100644
>> --- a/fs/f2fs/acl.c
>> +++ b/fs/f2fs/acl.c
>> @@ -53,6 +53,9 @@ static struct posix_acl *f2fs_acl_from_disk(const char *value, size_t size)
>> struct f2fs_acl_entry *entry = (struct f2fs_acl_entry *)(hdr + 1);
>> const char *end = value + size;
>>
>> + if (size < sizeof(f2fs_acl_header))
>
> sizeof(struct f2fs_acl_header)
>
> I fixed the above, and merged.
>
> Thanks,
>
>> + return ERR_PTR(-EINVAL);
>> +
>> if (hdr->a_version != cpu_to_le32(F2FS_ACL_VERSION))
>> return ERR_PTR(-EINVAL);
>>
>> --
>> 2.17.1
>
> .
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] f2fs: add additional sanity check in f2fs_acl_from_disk()
2018-09-05 5:54 ` Chao Yu
@ 2018-09-05 16:59 ` Jaegeuk Kim
0 siblings, 0 replies; 10+ messages in thread
From: Jaegeuk Kim @ 2018-09-05 16:59 UTC (permalink / raw)
To: Chao Yu; +Cc: Chengguang Xu, linux-f2fs-devel
On 09/05, Chao Yu wrote:
> Hi Jaegeuk,
>
> Could you update dev-test branch? so I can rebase my patch on it. :)
Will do soon. :)
>
> On 2018/9/5 12:28, Jaegeuk Kim wrote:
> > On 08/30, Chengguang Xu wrote:
> >> Add additinal sanity check for irregular case(e.g. corruption).
> >> If size of extended attribution is smaller than size of acl header,
> >> then return -EINVAL.
> >>
> >> Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
> >> ---
> >> fs/f2fs/acl.c | 3 +++
> >> 1 file changed, 3 insertions(+)
> >>
> >> diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
> >> index 111824199a88..79e9ea773070 100644
> >> --- a/fs/f2fs/acl.c
> >> +++ b/fs/f2fs/acl.c
> >> @@ -53,6 +53,9 @@ static struct posix_acl *f2fs_acl_from_disk(const char *value, size_t size)
> >> struct f2fs_acl_entry *entry = (struct f2fs_acl_entry *)(hdr + 1);
> >> const char *end = value + size;
> >>
> >> + if (size < sizeof(f2fs_acl_header))
> >
> > sizeof(struct f2fs_acl_header)
> >
> > I fixed the above, and merged.
> >
> > Thanks,
> >
> >> + return ERR_PTR(-EINVAL);
> >> +
> >> if (hdr->a_version != cpu_to_le32(F2FS_ACL_VERSION))
> >> return ERR_PTR(-EINVAL);
> >>
> >> --
> >> 2.17.1
> >
> > .
> >
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2018-09-05 16:59 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-08-30 13:33 [PATCH] f2fs: add additional sanity check in f2fs_acl_from_disk() Chengguang Xu
2018-08-30 15:41 ` Chao Yu
2018-08-30 16:19 ` cgxu519
2018-08-31 7:02 ` Chao Yu
2018-08-31 11:40 ` Chengguang Xu
2018-08-31 12:16 ` Chao Yu
2018-08-31 12:17 ` Chao Yu
2018-09-05 4:28 ` Jaegeuk Kim
2018-09-05 5:54 ` Chao Yu
2018-09-05 16:59 ` Jaegeuk Kim
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).