From: Dave Chinner <david@fromorbit.com>
To: xfs@oss.sgi.com
Cc: security@kernel.org
Subject: [PATCH 3/4] xfs: rename XFS_IGET_BULKSTAT to XFS_IGET_UNTRUSTED
Date: Fri, 18 Jun 2010 17:32:53 +1000 [thread overview]
Message-ID: <1276846374-23916-4-git-send-email-david@fromorbit.com> (raw)
In-Reply-To: <1276846374-23916-1-git-send-email-david@fromorbit.com>
From: Dave Chinner <dchinner@redhat.com>
Inode numbers may come from somewhere external to the filesystem
(e.g. file handles, bulkstat information) and so are inherently
untrusted. Rename the flag we use for these lookups to make it
obvious we are doing a lookup of an untrusted inode number and need
to verify it completely before trying to read it from disk.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
---
fs/xfs/linux-2.6/xfs_export.c | 9 ++++-----
fs/xfs/xfs_ialloc.c | 6 +++---
fs/xfs/xfs_inode.c | 2 +-
fs/xfs/xfs_inode.h | 2 +-
fs/xfs/xfs_itable.c | 2 +-
5 files changed, 10 insertions(+), 11 deletions(-)
diff --git a/fs/xfs/linux-2.6/xfs_export.c b/fs/xfs/linux-2.6/xfs_export.c
index e61232f..b39c05c 100644
--- a/fs/xfs/linux-2.6/xfs_export.c
+++ b/fs/xfs/linux-2.6/xfs_export.c
@@ -127,12 +127,11 @@ xfs_nfs_get_inode(
return ERR_PTR(-ESTALE);
/*
- * The XFS_IGET_BULKSTAT means that an invalid inode number is just
- * fine and not an indication of a corrupted filesystem. Because
- * clients can send any kind of invalid file handle, e.g. after
- * a restore on the server we have to deal with this case gracefully.
+ * The XFS_IGET_UNTRUSTED means that an invalid inode number is just
+ * fine and not an indication of a corrupted filesystem as clients can
+ * send invalid file handles and we have to handle it gracefully..
*/
- error = xfs_iget(mp, NULL, ino, XFS_IGET_BULKSTAT,
+ error = xfs_iget(mp, NULL, ino, XFS_IGET_UNTRUSTED,
XFS_ILOCK_SHARED, &ip, 0);
if (error) {
/*
diff --git a/fs/xfs/xfs_ialloc.c b/fs/xfs/xfs_ialloc.c
index 06eb987..4efc23b 100644
--- a/fs/xfs/xfs_ialloc.c
+++ b/fs/xfs/xfs_ialloc.c
@@ -1265,7 +1265,7 @@ error0:
return error;
/* for untrusted inodes check it is allocated first */
- if ((flags & XFS_IGET_BULKSTAT) &&
+ if ((flags & XFS_IGET_UNTRUSTED) &&
(rec.ir_free & XFS_INOBT_MASK(agino - rec.ir_startino)))
return EINVAL;
@@ -1307,7 +1307,7 @@ xfs_imap(
ino != XFS_AGINO_TO_INO(mp, agno, agino)) {
#ifdef DEBUG
/* no diagnostics for bulkstat, ino comes from userspace */
- if (flags & XFS_IGET_BULKSTAT)
+ if (flags & XFS_IGET_UNTRUSTED)
return XFS_ERROR(EINVAL);
if (agno >= mp->m_sb.sb_agcount) {
xfs_fs_cmn_err(CE_ALERT, mp,
@@ -1343,7 +1343,7 @@ xfs_imap(
* inodes in stale state on disk. Hence we have to do a btree lookup
* in all cases where an untrusted inode number is passed.
*/
- if (flags & XFS_IGET_BULKSTAT) {
+ if (flags & XFS_IGET_UNTRUSTED) {
error = xfs_imap_lookup(mp, tp, agno, agino, agbno,
&chunk_agbno, &offset_agbno, flags);
if (error)
diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c
index 5c2ada4..9101e79 100644
--- a/fs/xfs/xfs_inode.c
+++ b/fs/xfs/xfs_inode.c
@@ -173,7 +173,7 @@ xfs_imap_to_bp(
if (unlikely(XFS_TEST_ERROR(!di_ok, mp,
XFS_ERRTAG_ITOBP_INOTOBP,
XFS_RANDOM_ITOBP_INOTOBP))) {
- if (iget_flags & XFS_IGET_BULKSTAT) {
+ if (iget_flags & XFS_IGET_UNTRUSTED) {
xfs_trans_brelse(tp, bp);
return XFS_ERROR(EINVAL);
}
diff --git a/fs/xfs/xfs_inode.h b/fs/xfs/xfs_inode.h
index 10dd2e0..7a2f347 100644
--- a/fs/xfs/xfs_inode.h
+++ b/fs/xfs/xfs_inode.h
@@ -499,7 +499,7 @@ do { \
* Flags for xfs_iget()
*/
#define XFS_IGET_CREATE 0x1
-#define XFS_IGET_BULKSTAT 0x2
+#define XFS_IGET_UNTRUSTED 0x2
int xfs_inotobp(struct xfs_mount *, struct xfs_trans *,
xfs_ino_t, struct xfs_dinode **,
diff --git a/fs/xfs/xfs_itable.c b/fs/xfs/xfs_itable.c
index f554bd9..5fccd84 100644
--- a/fs/xfs/xfs_itable.c
+++ b/fs/xfs/xfs_itable.c
@@ -76,7 +76,7 @@ xfs_bulkstat_one_int(
return XFS_ERROR(ENOMEM);
error = xfs_iget(mp, NULL, ino,
- XFS_IGET_BULKSTAT, XFS_ILOCK_SHARED, &ip, bno);
+ XFS_IGET_UNTRUSTED, XFS_ILOCK_SHARED, &ip, bno);
if (error) {
*stat = BULKSTAT_RV_NOTHING;
goto out_free;
--
1.7.1
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next prev parent reply other threads:[~2010-06-18 7:30 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-18 7:32 xfs: validate inode numbers in file handles correctly Dave Chinner
2010-06-18 7:32 ` [PATCH 1/4] xfs: always use iget in bulkstat Dave Chinner
2010-06-18 7:32 ` [PATCH 2/4] xfs: validate untrusted inode numbers during lookup Dave Chinner
2010-06-18 11:41 ` Christoph Hellwig
2010-06-19 0:07 ` Dave Chinner
2010-06-18 7:32 ` Dave Chinner [this message]
2010-06-18 11:42 ` [PATCH 3/4] xfs: rename XFS_IGET_BULKSTAT to XFS_IGET_UNTRUSTED Christoph Hellwig
2010-06-18 7:32 ` [PATCH 4/4] xfs: remove block number from inode lookup code Dave Chinner
2010-06-18 8:22 ` Christoph Hellwig
2011-11-23 13:04 ` xfs: validate inode numbers in file handles correctly Guoquan Yang
2011-11-23 14:30 ` Christoph Hellwig
[not found] ` <SNT135-W7F5C64C2A3F67B48EFF3AA4CE0@phx.gbl>
2011-11-24 12:52 ` Christoph Hellwig
2011-11-28 11:19 ` Christoph Hellwig
2011-12-03 8:27 ` hank peng
2011-12-06 15:17 ` Christoph Hellwig
2011-12-03 9:56 ` yangguoquan
2011-12-29 9:19 ` xfs: validate inode numbers in file handles correctly--NFS Stale File Handle Again yangguoquan
2012-01-02 15:02 ` Christoph Hellwig
2012-01-04 2:20 ` yangguoquan
2012-01-24 17:58 ` Christoph Hellwig
2012-02-01 5:46 ` yangguoquan
-- strict thread matches above, loose matches on Subject: below --
2010-06-20 23:58 [PATCH 0/4, V2] xfs: validate inode numbers in file handles correctly Dave Chinner
2010-06-20 23:59 ` [PATCH 3/4] xfs: rename XFS_IGET_BULKSTAT to XFS_IGET_UNTRUSTED Dave Chinner
2010-06-21 7:21 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1276846374-23916-4-git-send-email-david@fromorbit.com \
--to=david@fromorbit.com \
--cc=security@kernel.org \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox