From: Andrew Morton <akpm@osdl.org>
To: Neil Brown <neilb@suse.de>
Cc: jack@suse.cz, 20@madingley.org, marcel@holtmann.org,
linux-kernel@vger.kernel.org, sct@redhat.com,
"Theodore Ts'o" <tytso@mit.edu>,
Andreas Dilger <adilger@clusterfs.com>
Subject: Re: Bad ext3/nfs DoS bug
Date: Fri, 21 Jul 2006 17:06:27 -0700 [thread overview]
Message-ID: <20060721170627.4cbea27d.akpm@osdl.org> (raw)
In-Reply-To: <17600.30372.397971.955987@cse.unsw.edu.au>
On Fri, 21 Jul 2006 16:39:32 +1000
Neil Brown <neilb@suse.de> wrote:
> Avoid triggering ext3_error on bad NFS file handle
>
> The inode number out of an NFS file handle gets passed
> eventually to ext3_get_inode_block without any checking.
> If ext3_get_inode_block allows it to trigger a error,
> then bad filehandles can have unpleasant effect.
>
> So remove the call to ext3_error there and put a matching
> check in ext3/namei.c where inode numbers are read of storage.
>
There are strange things happening in here.
> +static inline int ext3_valid_inum(struct super_block *sb, unsigned long ino)
> +{
> + return ino == EXT3_ROOT_INO ||
> + ino == EXT3_JOURNAL_INO ||
> + ino == EXT3_RESIZE_INO ||
> + (ino > EXT3_FIRST_INO(sb) &&
> + ino <= le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count));
> +}
One would expect the inode validity test to be
(ino >= EXT3_FIRST_INO(sb)) && (ino < ...->s_inodes_count))
but even this assumes that s_inodes_count is misnamed and really should be
called s_last_inode_plus_one. If it is not misnamed then the validity test
should be
(ino >= EXT3_FIRST_INO(sb)) &&
(ino < EXT3_FIRST_INO(sb) + ...->s_inodes_count))
Look through the filesystem for other uses of EXT3_FIRST_INO(). It's all
rather fishily inconsistent.
Ted, Andreas: do you think we could come up with statements describing
exactly what the values in EXT3_FIRST_INO() and in ->s_inodes_count
represent? Thanks.
Also Neil, I wonder whether this patch of yours still permits NFS clients
to access the journal and resize inodes in undesirable ways?
next prev parent reply other threads:[~2006-07-22 0:07 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-17 13:01 Bad ext3/nfs DoS bug James
2006-07-17 13:06 ` Marcel Holtmann
2006-07-17 18:43 ` Marcel Holtmann
2006-07-18 7:55 ` Marcel Holtmann
2006-07-18 14:56 ` James
2006-07-18 15:22 ` Marcel Holtmann
2006-07-18 15:23 ` James
2006-07-18 20:18 ` Marcel Holtmann
2006-07-19 9:28 ` James
2006-07-19 15:55 ` Jan Kara
2006-07-20 4:46 ` Neil Brown
2006-07-20 16:06 ` Jan Kara
2006-07-20 20:11 ` James
2006-07-21 6:44 ` Neil Brown
2006-07-21 6:39 ` Neil Brown
2006-07-21 14:24 ` Jan Kara
2006-07-22 0:06 ` Andrew Morton [this message]
2006-07-22 13:17 ` Theodore Tso
2006-07-25 1:56 ` Andrew Morton
2006-07-25 2:21 ` Neil Brown
2006-07-26 17:12 ` Eric Sandeen
2006-07-26 23:53 ` Neil Brown
2006-07-27 18:32 ` Eric Sandeen
2006-07-27 19:12 ` Christoph Hellwig
2006-07-28 0:34 ` Neil Brown
2006-07-28 13:27 ` Peter Staubach
2006-07-28 13:30 ` Christoph Hellwig
2006-07-25 2:36 ` Neil Brown
2006-07-25 18:27 ` Eric Sandeen
2006-07-21 0:42 ` Marcel Holtmann
2006-07-21 12:29 ` Andrew Morton
-- strict thread matches above, loose matches on Subject: below --
2006-07-22 3:38 linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060721170627.4cbea27d.akpm@osdl.org \
--to=akpm@osdl.org \
--cc=20@madingley.org \
--cc=adilger@clusterfs.com \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=neilb@suse.de \
--cc=sct@redhat.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox