From: Gao Xiang <hsiangkao@redhat.com>
To: "Darrick J. Wong" <darrick.wong@oracle.com>
Cc: linux-xfs@vger.kernel.org, Brian Foster <bfoster@redhat.com>,
Dave Chinner <david@fromorbit.com>
Subject: Re: [PATCH v4 1/2] xfs: avoid LR buffer overrun due to crafted h_len
Date: Thu, 24 Sep 2020 00:52:58 +0800 [thread overview]
Message-ID: <20200923165258.GA28205@xiangao.remote.csb> (raw)
In-Reply-To: <20200923163540.GU7955@magnolia>
On Wed, Sep 23, 2020 at 09:35:40AM -0700, Darrick J. Wong wrote:
> On Thu, Sep 17, 2020 at 01:13:40PM +0800, Gao Xiang wrote:
> > Currently, crafted h_len has been blocked for the log
> > header of the tail block in commit a70f9fe52daa ("xfs:
> > detect and handle invalid iclog size set by mkfs").
> >
> > However, each log record could still have crafted h_len
> > and cause log record buffer overrun. So let's check
> > h_len vs buffer size for each log record as well.
> >
> > Signed-off-by: Gao Xiang <hsiangkao@redhat.com>
>
> /me squints real hard and thinks he understands what this patch does.
>
> Tighten up xlog_valid_rec_header, and add a new callsite in the middle
> of xlog_do_recovery_pass instead of the insufficient length checking.
> Assuming that's right,
>
> Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Thanks for the review!
The main point is to check each individual LR h_len against LR buffer
size allocated first in xlog_do_recovery_pass() to avoid buffer
overflow triggered by CRC calc or follow-up steps (details in
https://lore.kernel.org/linux-xfs/20200902224726.GB4671@xiangao.remote.csb/ ).
no new callsite (just move the callsite after original workaround
code). Anyway, that is just a buffer overflow issue can be triggered
by corrupted log. Just a minor stuff but security guyes could also
keep eyes on such thing. I think that is right. :)
Thanks,
Gao Xiang
>
> --D
next prev parent reply other threads:[~2020-09-23 16:53 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-17 5:13 [PATCH v2 0/2] xfs: random patches on log recovery Gao Xiang
2020-09-17 5:13 ` [PATCH v4 1/2] xfs: avoid LR buffer overrun due to crafted h_len Gao Xiang
2020-09-22 15:22 ` Brian Foster
2020-09-22 15:28 ` Gao Xiang
2020-09-23 16:35 ` Darrick J. Wong
2020-09-23 16:52 ` Gao Xiang [this message]
2020-09-17 5:13 ` [PATCH v3 2/2] xfs: clean up calculation of LR header blocks Gao Xiang
2020-09-22 15:22 ` Brian Foster
2020-09-22 15:32 ` Gao Xiang
2020-09-22 15:53 ` [PATCH v3.2] " Gao Xiang
2020-09-23 16:32 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200923165258.GA28205@xiangao.remote.csb \
--to=hsiangkao@redhat.com \
--cc=bfoster@redhat.com \
--cc=darrick.wong@oracle.com \
--cc=david@fromorbit.com \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox