[PATCH] reiserfs: check directry items on read from disk

reiserfs-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] reiserfs: check directry items on read from disk
@ 2021-07-09 15:29 Shreyansh Chouhan
  2021-07-20  7:31 ` Shreyansh Chouhan
  0 siblings, 1 reply; 4+ messages in thread
From: Shreyansh Chouhan @ 2021-07-09 15:29 UTC (permalink / raw)
  To: rkovhaev, jack
  Cc: Shreyansh Chouhan, reiserfs-devel, linux-kernel,
	syzbot+c31a48e6702ccb3d64c9

While verifying the leaf item that we read from the disk, reiserfs
doesn't check the directory items, this could cause a crash when we
read a directory item from the disk that has an invalid deh_location.

This patch adds a check to the directory items read from the disk that
does a bounds check on deh_location for the directory entries. Any
directory entry header with a directory entry offset greater than the
item length is considered invalid.

Reported-by: syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com
Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
---
 fs/reiserfs/stree.c | 31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
index 476a7ff49482..ef42729216d1 100644
--- a/fs/reiserfs/stree.c
+++ b/fs/reiserfs/stree.c
@@ -387,6 +387,24 @@ void pathrelse(struct treepath *search_path)
 	search_path->path_length = ILLEGAL_PATH_ELEMENT_OFFSET;
 }
 
+static int has_valid_deh_location(struct buffer_head *bh, struct item_head *ih)
+{
+	struct reiserfs_de_head *deh;
+	int i;
+
+	deh = B_I_DEH(bh, ih);
+	for (i = 0; i < ih_entry_count(ih); i++) {
+		if (deh_location(&deh[i]) > ih_item_len(ih)) {
+			reiserfs_warning(NULL, "reiserfs-5094",
+					 "directory entry location seems wrong %h",
+					 &deh[i]);
+			return 0;
+		}
+	}
+
+	return 1;
+}
+
 static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
 {
 	struct block_head *blkh;
@@ -454,11 +472,14 @@ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
 					 "(second one): %h", ih);
 			return 0;
 		}
-		if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) {
-			reiserfs_warning(NULL, "reiserfs-5093",
-					 "item entry count seems wrong %h",
-					 ih);
-			return 0;
+		if (is_direntry_le_ih(ih)) {
+			if (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE)) {
+				reiserfs_warning(NULL, "reiserfs-5093",
+						 "item entry count seems wrong %h",
+						 ih);
+				return 0;
+			}
+			return has_valid_deh_location(bh, ih);
 		}
 		prev_location = ih_location(ih);
 	}
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] reiserfs: check directry items on read from disk
  2021-07-09 15:29 [PATCH] reiserfs: check directry items on read from disk Shreyansh Chouhan
@ 2021-07-20  7:31 ` Shreyansh Chouhan
  2021-07-26  8:20   ` Jan Kara
  0 siblings, 1 reply; 4+ messages in thread
From: Shreyansh Chouhan @ 2021-07-20  7:31 UTC (permalink / raw)
  To: rkovhaev, jack; +Cc: reiserfs-devel, linux-kernel, syzbot+c31a48e6702ccb3d64c9

Hi,

Just a ping for reviews/merge since there has been no activity on this patch.

Thank you,
Shreyansh Chouhan

On Fri, Jul 09, 2021 at 08:59:29PM +0530, Shreyansh Chouhan wrote:
> 
> While verifying the leaf item that we read from the disk, reiserfs
> doesn't check the directory items, this could cause a crash when we
> read a directory item from the disk that has an invalid deh_location.
> 
> This patch adds a check to the directory items read from the disk that
> does a bounds check on deh_location for the directory entries. Any
> directory entry header with a directory entry offset greater than the
> item length is considered invalid.
> 
> Reported-by: syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com
> Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
> ---
>  fs/reiserfs/stree.c | 31 ++++++++++++++++++++++++++-----
>  1 file changed, 26 insertions(+), 5 deletions(-)
> 
> diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
> index 476a7ff49482..ef42729216d1 100644
> --- a/fs/reiserfs/stree.c
> +++ b/fs/reiserfs/stree.c
> @@ -387,6 +387,24 @@ void pathrelse(struct treepath *search_path)
>  	search_path->path_length = ILLEGAL_PATH_ELEMENT_OFFSET;
>  }
>  
> +static int has_valid_deh_location(struct buffer_head *bh, struct item_head *ih)
> +{
> +	struct reiserfs_de_head *deh;
> +	int i;
> +
> +	deh = B_I_DEH(bh, ih);
> +	for (i = 0; i < ih_entry_count(ih); i++) {
> +		if (deh_location(&deh[i]) > ih_item_len(ih)) {
> +			reiserfs_warning(NULL, "reiserfs-5094",
> +					 "directory entry location seems wrong %h",
> +					 &deh[i]);
> +			return 0;
> +		}
> +	}
> +
> +	return 1;
> +}
> +
>  static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
>  {
>  	struct block_head *blkh;
> @@ -454,11 +472,14 @@ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
>  					 "(second one): %h", ih);
>  			return 0;
>  		}
> -		if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) {
> -			reiserfs_warning(NULL, "reiserfs-5093",
> -					 "item entry count seems wrong %h",
> -					 ih);
> -			return 0;
> +		if (is_direntry_le_ih(ih)) {
> +			if (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE)) {
> +				reiserfs_warning(NULL, "reiserfs-5093",
> +						 "item entry count seems wrong %h",
> +						 ih);
> +				return 0;
> +			}
> +			return has_valid_deh_location(bh, ih);
>  		}
>  		prev_location = ih_location(ih);
>  	}
> -- 
> 2.31.1
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] reiserfs: check directry items on read from disk
  2021-07-20  7:31 ` Shreyansh Chouhan
@ 2021-07-26  8:20   ` Jan Kara
  2021-07-29  5:06     ` Shreyansh Chouhan
  0 siblings, 1 reply; 4+ messages in thread
From: Jan Kara @ 2021-07-26  8:20 UTC (permalink / raw)
  To: Shreyansh Chouhan
  Cc: rkovhaev, jack, reiserfs-devel, linux-kernel,
	syzbot+c31a48e6702ccb3d64c9

Hello!

On Tue 20-07-21 13:01:25, Shreyansh Chouhan wrote:
> Just a ping for reviews/merge since there has been no activity on this patch.

The patch is already in my tree and included in linux-next. I wanted to
send it to Linus before going on vacation but somehow that slipped through.
I'll send it to Linus this week with other fixes I have accumulated. I'm
sorry for the delay.

								Honza

> On Fri, Jul 09, 2021 at 08:59:29PM +0530, Shreyansh Chouhan wrote:
> > 
> > While verifying the leaf item that we read from the disk, reiserfs
> > doesn't check the directory items, this could cause a crash when we
> > read a directory item from the disk that has an invalid deh_location.
> > 
> > This patch adds a check to the directory items read from the disk that
> > does a bounds check on deh_location for the directory entries. Any
> > directory entry header with a directory entry offset greater than the
> > item length is considered invalid.
> > 
> > Reported-by: syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com
> > Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
> > ---
> >  fs/reiserfs/stree.c | 31 ++++++++++++++++++++++++++-----
> >  1 file changed, 26 insertions(+), 5 deletions(-)
> > 
> > diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
> > index 476a7ff49482..ef42729216d1 100644
> > --- a/fs/reiserfs/stree.c
> > +++ b/fs/reiserfs/stree.c
> > @@ -387,6 +387,24 @@ void pathrelse(struct treepath *search_path)
> >  	search_path->path_length = ILLEGAL_PATH_ELEMENT_OFFSET;
> >  }
> >  
> > +static int has_valid_deh_location(struct buffer_head *bh, struct item_head *ih)
> > +{
> > +	struct reiserfs_de_head *deh;
> > +	int i;
> > +
> > +	deh = B_I_DEH(bh, ih);
> > +	for (i = 0; i < ih_entry_count(ih); i++) {
> > +		if (deh_location(&deh[i]) > ih_item_len(ih)) {
> > +			reiserfs_warning(NULL, "reiserfs-5094",
> > +					 "directory entry location seems wrong %h",
> > +					 &deh[i]);
> > +			return 0;
> > +		}
> > +	}
> > +
> > +	return 1;
> > +}
> > +
> >  static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
> >  {
> >  	struct block_head *blkh;
> > @@ -454,11 +472,14 @@ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
> >  					 "(second one): %h", ih);
> >  			return 0;
> >  		}
> > -		if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) {
> > -			reiserfs_warning(NULL, "reiserfs-5093",
> > -					 "item entry count seems wrong %h",
> > -					 ih);
> > -			return 0;
> > +		if (is_direntry_le_ih(ih)) {
> > +			if (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE)) {
> > +				reiserfs_warning(NULL, "reiserfs-5093",
> > +						 "item entry count seems wrong %h",
> > +						 ih);
> > +				return 0;
> > +			}
> > +			return has_valid_deh_location(bh, ih);
> >  		}
> >  		prev_location = ih_location(ih);
> >  	}
> > -- 
> > 2.31.1
> > 
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] reiserfs: check directry items on read from disk
  2021-07-26  8:20   ` Jan Kara
@ 2021-07-29  5:06     ` Shreyansh Chouhan
  0 siblings, 0 replies; 4+ messages in thread
From: Shreyansh Chouhan @ 2021-07-29  5:06 UTC (permalink / raw)
  To: Jan Kara
  Cc: rkovhaev, reiserfs-devel, linux-kernel,
	syzbot+c31a48e6702ccb3d64c9

On Mon, Jul 26, 2021 at 10:20:50AM +0200, Jan Kara wrote:
> Hello!
> 
> On Tue 20-07-21 13:01:25, Shreyansh Chouhan wrote:
> > Just a ping for reviews/merge since there has been no activity on this patch.
> 
> The patch is already in my tree and included in linux-next. I wanted to
> send it to Linus before going on vacation but somehow that slipped through.
> I'll send it to Linus this week with other fixes I have accumulated. I'm
> sorry for the delay.
> 

No worries, also thanks a lot for the merge!

Regards,
Shreyansh Chouhan
> 								Honza
> 
> > On Fri, Jul 09, 2021 at 08:59:29PM +0530, Shreyansh Chouhan wrote:
> > > 
> > > While verifying the leaf item that we read from the disk, reiserfs
> > > doesn't check the directory items, this could cause a crash when we
> > > read a directory item from the disk that has an invalid deh_location.
> > > 
> > > This patch adds a check to the directory items read from the disk that
> > > does a bounds check on deh_location for the directory entries. Any
> > > directory entry header with a directory entry offset greater than the
> > > item length is considered invalid.
> > > 
> > > Reported-by: syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com
> > > Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
> > > ---
> > >  fs/reiserfs/stree.c | 31 ++++++++++++++++++++++++++-----
> > >  1 file changed, 26 insertions(+), 5 deletions(-)
> > > 
> > > diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
> > > index 476a7ff49482..ef42729216d1 100644
> > > --- a/fs/reiserfs/stree.c
> > > +++ b/fs/reiserfs/stree.c
> > > @@ -387,6 +387,24 @@ void pathrelse(struct treepath *search_path)
> > >  	search_path->path_length = ILLEGAL_PATH_ELEMENT_OFFSET;
> > >  }
> > >  
> > > +static int has_valid_deh_location(struct buffer_head *bh, struct item_head *ih)
> > > +{
> > > +	struct reiserfs_de_head *deh;
> > > +	int i;
> > > +
> > > +	deh = B_I_DEH(bh, ih);
> > > +	for (i = 0; i < ih_entry_count(ih); i++) {
> > > +		if (deh_location(&deh[i]) > ih_item_len(ih)) {
> > > +			reiserfs_warning(NULL, "reiserfs-5094",
> > > +					 "directory entry location seems wrong %h",
> > > +					 &deh[i]);
> > > +			return 0;
> > > +		}
> > > +	}
> > > +
> > > +	return 1;
> > > +}
> > > +
> > >  static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
> > >  {
> > >  	struct block_head *blkh;
> > > @@ -454,11 +472,14 @@ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
> > >  					 "(second one): %h", ih);
> > >  			return 0;
> > >  		}
> > > -		if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) {
> > > -			reiserfs_warning(NULL, "reiserfs-5093",
> > > -					 "item entry count seems wrong %h",
> > > -					 ih);
> > > -			return 0;
> > > +		if (is_direntry_le_ih(ih)) {
> > > +			if (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE)) {
> > > +				reiserfs_warning(NULL, "reiserfs-5093",
> > > +						 "item entry count seems wrong %h",
> > > +						 ih);
> > > +				return 0;
> > > +			}
> > > +			return has_valid_deh_location(bh, ih);
> > >  		}
> > >  		prev_location = ih_location(ih);
> > >  	}
> > > -- 
> > > 2.31.1
> > > 
> -- 
> Jan Kara <jack@suse.com>
> SUSE Labs, CR

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-07-29  5:06 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-07-09 15:29 [PATCH] reiserfs: check directry items on read from disk Shreyansh Chouhan
2021-07-20  7:31 ` Shreyansh Chouhan
2021-07-26  8:20   ` Jan Kara
2021-07-29  5:06     ` Shreyansh Chouhan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).