Re: [RFC PATCH v2] ceph: ceph: fix out-of-bound array access when doing a file read

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Luis Henriques <luis.henriques@linux.dev>
To: Goldwyn Rodrigues <rgoldwyn@suse.de>
Cc: Alex Markuze <amarkuze@redhat.com>, Xiubo Li <xiubli@redhat.com>,
	 Ilya Dryomov <idryomov@gmail.com>,
	 ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH v2] ceph: ceph: fix out-of-bound array access when doing a file read
Date: Thu, 07 Nov 2024 11:09:38 +0000	[thread overview]
Message-ID: <87ldxvuwp9.fsf@linux.dev> (raw)
In-Reply-To: <yvmwdvnfzqz3efyoypejvkd4ihn5viagy4co7f4pquwrlvjli6@t7k6uihd2pp3> (Goldwyn Rodrigues's message of "Wed, 6 Nov 2024 15:40:44 -0500")

(CC'ing Alex)

On Wed, Nov 06 2024, Goldwyn Rodrigues wrote:

> Hi Xiubo,
>
>> BTW, so in the following code:
>> 
>> 1202                 idx = 0;
>> 1203                 if (ret <= 0)
>> 1204                         left = 0;
>> 1205                 else if (off + ret > i_size)
>> 1206                         left = i_size - off;
>> 1207                 else
>> 1208                         left = ret;
>> 
>> The 'ret' should be larger than '0', right ?
>> 
>> If so we do not check anf fix it in the 'else if' branch instead?
>> 
>> Because currently the read path code won't exit directly and keep 
>> retrying to read if it found that the real content length is longer than 
>> the local 'i_size'.
>> 
>> Again I am afraid your current fix will break the MIX filelock semantic ?
>
> Do you think changing left to ssize_t instead of size_t will
> fix the problem?
>
> diff --git a/fs/ceph/file.c b/fs/ceph/file.c
> index 4b8d59ebda00..f8955773bdd7 100644
> --- a/fs/ceph/file.c
> +++ b/fs/ceph/file.c
> @@ -1066,7 +1066,7 @@ ssize_t __ceph_sync_read(struct inode *inode, loff_t *ki_pos,
>  	if (ceph_inode_is_shutdown(inode))
>  		return -EIO;
>  
> -	if (!len)
> +	if (!len || !i_size)
>  		return 0;
>  	/*
>  	 * flush any page cache pages in this range.  this
> @@ -1087,7 +1087,7 @@ ssize_t __ceph_sync_read(struct inode *inode, loff_t *ki_pos,
>  		size_t page_off;
>  		bool more;
>  		int idx;
> -		size_t left;
> +		ssize_t left;
>  		struct ceph_osd_req_op *op;
>  		u64 read_off = off;
>  		u64 read_len = len;
>

I *think* (although I haven't tested it) that you're patch should work as
well.  But I also think it's a bit more hacky: the overflow will still be
there:

		if (ret <= 0)
			left = 0;
		else if (off + ret > i_size)
			left = i_size - off;
		else
			left = ret;
		while (left > 0) {
			// ...
		}

If 'i_size' is '0', 'left' (which is now signed) will now have a negative
value in the 'else if' branch and the loop that follows will not be
executed.  My version will simply set 'ret' to '0' before this 'if'
construct.

So, in my opinion, what needs to be figured out is whether this will cause
problems on the MDS side or not.  Because on the kernel client, it should
be safe to ignore reads to an inode that has size set to '0', even if
there's already data available to be read.  Eventually, the inode metadata
will get updated and by then we can retry the read.

Unfortunately, the MDS continues to be a huge black box for me and the
locking code in particular is very tricky.  I'd rather defer this for
anyone that is familiar with the code.

Cheers,
-- 
Luís

next prev parent reply	other threads:[~2024-11-07 11:09 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-05 13:57 [RFC PATCH v2] ceph: ceph: fix out-of-bound array access when doing a file read Luis Henriques (SUSE)
2024-09-06 11:17 ` Xiubo Li
2024-09-06 11:30   ` Luis Henriques
2024-09-06 12:48     ` Xiubo Li
2024-09-30 15:30       ` Luis Henriques
2024-11-04 14:34         ` Luis Henriques
2024-11-05  1:10           ` Xiubo Li
2024-11-05  9:21             ` Luis Henriques
2024-11-06 20:40   ` Goldwyn Rodrigues
2024-11-07 11:09     ` Luis Henriques [this message]
2024-11-27 13:47       ` Alex Markuze
2024-11-28 17:42         ` Luis Henriques
2024-11-28 18:19           ` Alex Markuze
2024-11-28 18:52             ` Luis Henriques
2024-11-28 19:09               ` Alex Markuze
2024-11-28 19:31                 ` Alex Markuze
2024-12-11 10:36                   ` Alex Markuze

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87ldxvuwp9.fsf@linux.dev \
    --to=luis.henriques@linux.dev \
    --cc=amarkuze@redhat.com \
    --cc=ceph-devel@vger.kernel.org \
    --cc=idryomov@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rgoldwyn@suse.de \
    --cc=xiubli@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox