From: "Darrick J. Wong" <djwong@kernel.org>
To: Christoph Hellwig <hch@infradead.org>
Cc: linux-xfs@vger.kernel.org
Subject: Re: [PATCH 1/1] xfs: online repair of symbolic links
Date: Thu, 29 Feb 2024 09:16:32 -0800 [thread overview]
Message-ID: <20240229171632.GA1927156@frogsfrogsfrogs> (raw)
In-Reply-To: <ZeCFrUVJ54Grt8qy@infradead.org>
On Thu, Feb 29, 2024 at 05:25:01AM -0800, Christoph Hellwig wrote:
> On Wed, Feb 28, 2024 at 03:46:30PM -0800, Darrick J. Wong wrote:
> > If scrub (or the regular verifiers) hit anything, then we end up in
> > symlink_repair.c with CORRUPT set. In this case we set the target to
> > DUMMY_TARGET.
>
> Yes.
>
> > If the salvage functions recover fewer bytes than i_disk_size, then
> > we'll set the target to DUMMY_TARGET because that could lead to things
> > like:
> >
> > 0. touch autoexec autoexec@bat
> > 1. ln -s 'autoexec@bat' victimlink
> > 2. corrupt victimlink by s/@/\0/g' on the target
> > 3. repair salvages the target and ends up with 'autoexec'
> >
> > Alternately:
> >
> > 0. touch autoexec autoexec@bat
> > 1. ln -s 'autoexec@bat' victimlink
> > 2. corrupt victimlink by incrementing di_size (it's now 13)
> > 3. repair salvages the target and ends up with "autoexec@bat\0"
> >
> > In both of those cases, something's inconsistent between the buffer
> > contents and di_size.
>
> Yes.
>
> > There aren't supposed to be nulls in the target,
> > but whatever might have been in that byte originally is long gone. The
> > only thing to do here is replace it with DUMMY_TARGET.
> >
> > If salvage recovers more bytes than i_disk_size then we have no idea if
> > di_size was broken or not because the target isn't null-terminated.
> > In theory the kernel will never do this (because it zeroes the xfs_buf
> > contents in xfs_trans_buf_get) but fuzzers could do that.
>
> Now why do we even want to salvage parts of the symlink? A truncated
> symlink generally would cause more harm than just refusing to follow it.
We don't want to salvage in that case. I forgot to finish that last
paragraph:
"If salvage recovers more bytes than i_disk_size then we have no idea if
di_size was broken or not because the target isn't null-terminated. In
theory the kernel will never do this (because it zeroes the xfs_buf
contents in xfs_trans_buf_get) but fuzzers could do that. Set the
target to DUMMY_TARGET in this case."
and maybe add:
"The symlink target will be preserved if scrub does not find any errors
in the symlink file, the number of bytes recovered matches i_disk_size,
and there are no nulls in the recovered target. In all other cases it
is set to DUMMY_TARGET."
--D
next prev parent reply other threads:[~2024-02-29 17:16 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-27 2:18 [PATCHSET v29.['hch@lst.de'] 11/13] xfs: online repair of symbolic links Darrick J. Wong
2024-02-27 2:23 ` Darrick J. Wong
2024-02-27 2:32 ` [PATCH 1/1] " Darrick J. Wong
2024-02-28 17:26 ` Christoph Hellwig
2024-02-28 18:37 ` Darrick J. Wong
2024-02-28 18:53 ` Christoph Hellwig
2024-02-28 20:52 ` Darrick J. Wong
2024-02-28 22:10 ` Christoph Hellwig
2024-02-28 23:46 ` Darrick J. Wong
2024-02-29 13:25 ` Christoph Hellwig
2024-02-29 17:16 ` Darrick J. Wong [this message]
2024-02-29 19:42 ` Christoph Hellwig
-- strict thread matches above, loose matches on Subject: below --
2024-03-27 1:49 [PATCHSET v30.1 12/15] " Darrick J. Wong
2024-03-27 2:05 ` [PATCH 1/1] " Darrick J. Wong
2024-03-27 16:53 ` Christoph Hellwig
2024-03-29 20:44 ` Darrick J. Wong
2024-03-29 20:58 ` Darrick J. Wong
2023-12-31 19:45 [PATCHSET v29.0 23/40] xfsprogs: " Darrick J. Wong
2023-12-31 22:35 ` [PATCH 1/1] xfs: " Darrick J. Wong
2023-12-31 19:31 [PATCHSET v29.0 24/28] " Darrick J. Wong
2023-12-31 20:39 ` [PATCH 1/1] " Darrick J. Wong
2023-05-26 0:36 [PATCHSET v25.0 0/1] " Darrick J. Wong
2023-05-26 1:36 ` [PATCH 1/1] " Darrick J. Wong
2022-12-30 22:14 [PATCHSET v24.0 0/1] " Darrick J. Wong
2022-12-30 22:14 ` [PATCH 1/1] " Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240229171632.GA1927156@frogsfrogsfrogs \
--to=djwong@kernel.org \
--cc=hch@infradead.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox