From: Jan Kara <jack@suse.cz>
To: Zhihao Cheng <chengzhihao1@huawei.com>
Cc: jack@suse.com, tytso@mit.edu, brauner@kernel.org,
linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-kernel@vger.kernel.org, yukuai3@huawei.com
Subject: Re: [PATCH v2 3/3] quota: Add more checking after reading from quota file
Date: Fri, 23 Sep 2022 13:44:20 +0200 [thread overview]
Message-ID: <20220923114420.43dasp3uw76yugac@quack3> (raw)
In-Reply-To: <20220922130401.1792256-4-chengzhihao1@huawei.com>
On Thu 22-09-22 21:04:01, Zhihao Cheng wrote:
> It would be better to do more sanity checking (eg. dqdh_entries,
> block no.) for the content read from quota file, which can prevent
> corrupting the quota file.
>
> Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
> ---
> fs/quota/quota_tree.c | 43 +++++++++++++++++++++++++++++++++----------
> 1 file changed, 33 insertions(+), 10 deletions(-)
>
> diff --git a/fs/quota/quota_tree.c b/fs/quota/quota_tree.c
> index 47711e739ddb..54fe4ad71de5 100644
> --- a/fs/quota/quota_tree.c
> +++ b/fs/quota/quota_tree.c
> @@ -71,12 +71,12 @@ static ssize_t write_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf)
> return ret;
> }
>
> -static inline int do_check_range(struct super_block *sb, uint val,
> - uint min_val, uint max_val)
> +static inline int do_check_range(struct super_block *sb, const char *val_name,
> + uint val, uint min_val, uint max_val)
> {
> if (val < min_val || val >= max_val) {
> - quota_error(sb, "Getting block %u out of range %u-%u",
> - val, min_val, max_val);
> + quota_error(sb, "Getting %s %u out of range %u-%u",
> + val_name, val, min_val, max_val);
> return -EUCLEAN;
> }
As I already wrote in my comments to v1, please create do_check_range()
already with this prototype in patch 1 so that you don't have to update it
(and all the call sites) in each of the patches. It makes review simpler.
> @@ -268,6 +270,11 @@ static uint find_free_dqentry(struct qtree_mem_dqinfo *info,
> *err = check_dquot_block_header(info, dh);
> if (*err)
> goto out_buf;
> + *err = do_check_range(info->dqi_sb, "dqdh_entries",
> + le16_to_cpu(dh->dqdh_entries), 0,
> + qtree_dqstr_in_blk(info));
> + if (*err)
> + goto out_buf;
The checking of dqdh_entries belongs into check_dquot_block_header(). That
was the reason why it was created. So that all the checks are together in
one function...
> } else {
> blk = get_free_dqblk(info);
> if ((int)blk < 0) {
> @@ -349,6 +356,10 @@ static int do_insert_tree(struct qtree_mem_dqinfo *info, struct dquot *dquot,
> }
> ref = (__le32 *)buf;
> newblk = le32_to_cpu(ref[get_index(info, dquot->dq_id, depth)]);
> + ret = do_check_range(dquot->dq_sb, "block", newblk, 0,
> + info->dqi_blocks);
> + if (ret)
> + goto out_buf;
> if (!newblk)
> newson = 1;
> if (depth == info->dqi_qtree_depth - 1) {
> @@ -461,6 +472,11 @@ static int free_dqentry(struct qtree_mem_dqinfo *info, struct dquot *dquot,
> }
> dh = (struct qt_disk_dqdbheader *)buf;
> ret = check_dquot_block_header(info, dh);
> + if (ret)
> + goto out_buf;
> + ret = do_check_range(info->dqi_sb, "dqdh_entries",
> + le16_to_cpu(dh->dqdh_entries), 1,
> + qtree_dqstr_in_blk(info) + 1);
Again, the check of dqdh_entries should be in check_dquot_block_header().
> @@ -739,7 +756,13 @@ static int find_next_id(struct qtree_mem_dqinfo *info, qid_t *id,
> goto out_buf;
> }
> for (i = __get_index(info, *id, depth); i < epb; i++) {
> - if (ref[i] == cpu_to_le32(0)) {
> + uint blk_no = le32_to_cpu(ref[i]);
> +
> + ret = do_check_range(info->dqi_sb, "block", blk_no, 0,
> + info->dqi_blocks);
> + if (ret)
> + goto out_buf;
> + if (blk_no == 0) {
> *id += level_inc;
> continue;
> }
I'd leave checking for 0 first here - i.e.:
if (ref[i] == cpu_to_le32(0)) {
*id += level_inc;
continue;
}
and only then do:
blk_no = le32_to_cpu(ref[i]);
ret = do_check_range(...);
There's no point in checking known-good value.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
prev parent reply other threads:[~2022-09-23 11:44 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-22 13:03 [PATCH v2 0/3] Check content after reading from quota file Zhihao Cheng
2022-09-22 13:03 ` [PATCH v2 1/3] quota: Check next/prev free block number " Zhihao Cheng
2022-09-22 13:04 ` [PATCH v2 2/3] quota: Replace all block number checking with helper function Zhihao Cheng
2022-09-23 11:48 ` Jan Kara
2022-09-27 1:07 ` Zhihao Cheng
2022-09-22 13:04 ` [PATCH v2 3/3] quota: Add more checking after reading from quota file Zhihao Cheng
2022-09-23 11:44 ` Jan Kara [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220923114420.43dasp3uw76yugac@quack3 \
--to=jack@suse.cz \
--cc=brauner@kernel.org \
--cc=chengzhihao1@huawei.com \
--cc=jack@suse.com \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).