From: Viacheslav Dubeyko <slava@dubeyko.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Colin King <colin.king@canonical.com>,
linux-fsdevel@vger.kernel.org, dhowells@redhat.com,
viro@zeniv.linux.org.uk, kernel-janitors@vger.kernel.org,
linux-kernel@vger.kernel.org,
"Ernesto A.Fernndez" <ernesto.mnd.fernandez@gmail.com>
Subject: Re: [PATCH] hfs: fix array out of bounds read of array extent
Date: Wed, 17 Oct 2018 16:36:16 -0700 [thread overview]
Message-ID: <1539819376.3188.6.camel@slavad-ubuntu-14.04> (raw)
In-Reply-To: <20181017150117.fef4f8d8e814aa2d25adba5e@linux-foundation.org>
On Wed, 2018-10-17 at 15:01 -0700, Andrew Morton wrote:
> On Fri, 31 Aug 2018 15:05:38 +0100 Colin King <colin.king@canonical.com> wrote:
>
> > From: Colin Ian King <colin.king@canonical.com>
> >
> > Currently extent and index i are both being incremented causing
> > an array out of bounds read on extent[i]. Fix this by removing
> > the extraneous increment of extent.
> >
> > Detected by CoverityScan, CID#711541 ("Out of bounds read")
> >
> > Fixes: d1081202f1d0 ("HFS rewrite")
>
> No such commit here. I assume this is 7cb74be6fd827e314f8.
>
> > --- a/fs/hfs/extent.c
> > +++ b/fs/hfs/extent.c
> > @@ -300,7 +300,7 @@ int hfs_free_fork(struct super_block *sb, struct hfs_cat_file *file, int type)
> > return 0;
> >
> > blocks = 0;
> > - for (i = 0; i < 3; extent++, i++)
By the way, the hfs_free_extents() has the same logic [1] of for (i = 0;
i < 3; extent++, i++). It looks like that the bug is not fixed yet. Did
anyone test this patch? What's the real reproduction path for the bug?
Thanks,
Vyacheslav Dubeyko.
[1] https://elixir.bootlin.com/linux/latest/source/fs/hfs/extent.c#L251
> > + for (i = 0; i < 3; i++)
> > blocks += be16_to_cpu(extent[i].count);
> >
> > res = hfs_free_extents(sb, extent, blocks, blocks);
>
> Well, that's quite the bug. Question is, why didn't anyone notice it.
> What are the runtime effects? A disk space leak, perhaps?
>
> I worry a bit that, given the fs was evidently working "ok", perhaps
> this error was corrected elsewhere in the code and that "fixing" this
> site will have unexpected and undesirable runtime effects. Can someone
> help me out here?
WARNING: multiple messages have this Message-ID (diff)
From: Viacheslav Dubeyko <slava@dubeyko.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Colin King <colin.king@canonical.com>,
linux-fsdevel@vger.kernel.org, dhowells@redhat.com,
viro@zeniv.linux.org.uk, kernel-janitors@vger.kernel.org,
linux-kernel@vger.kernel.org,
"Ernesto A.Fernndez" <ernesto.mnd.fernandez@gmail.com>
Subject: Re: [PATCH] hfs: fix array out of bounds read of array extent
Date: Wed, 17 Oct 2018 23:36:16 +0000 [thread overview]
Message-ID: <1539819376.3188.6.camel@slavad-ubuntu-14.04> (raw)
In-Reply-To: <20181017150117.fef4f8d8e814aa2d25adba5e@linux-foundation.org>
On Wed, 2018-10-17 at 15:01 -0700, Andrew Morton wrote:
> On Fri, 31 Aug 2018 15:05:38 +0100 Colin King <colin.king@canonical.com> wrote:
>
> > From: Colin Ian King <colin.king@canonical.com>
> >
> > Currently extent and index i are both being incremented causing
> > an array out of bounds read on extent[i]. Fix this by removing
> > the extraneous increment of extent.
> >
> > Detected by CoverityScan, CID#711541 ("Out of bounds read")
> >
> > Fixes: d1081202f1d0 ("HFS rewrite")
>
> No such commit here. I assume this is 7cb74be6fd827e314f8.
>
> > --- a/fs/hfs/extent.c
> > +++ b/fs/hfs/extent.c
> > @@ -300,7 +300,7 @@ int hfs_free_fork(struct super_block *sb, struct hfs_cat_file *file, int type)
> > return 0;
> >
> > blocks = 0;
> > - for (i = 0; i < 3; extent++, i++)
By the way, the hfs_free_extents() has the same logic [1] of for (i = 0;
i < 3; extent++, i++). It looks like that the bug is not fixed yet. Did
anyone test this patch? What's the real reproduction path for the bug?
Thanks,
Vyacheslav Dubeyko.
[1] https://elixir.bootlin.com/linux/latest/source/fs/hfs/extent.c#L251
> > + for (i = 0; i < 3; i++)
> > blocks += be16_to_cpu(extent[i].count);
> >
> > res = hfs_free_extents(sb, extent, blocks, blocks);
>
> Well, that's quite the bug. Question is, why didn't anyone notice it.
> What are the runtime effects? A disk space leak, perhaps?
>
> I worry a bit that, given the fs was evidently working "ok", perhaps
> this error was corrected elsewhere in the code and that "fixing" this
> site will have unexpected and undesirable runtime effects. Can someone
> help me out here?
next prev parent reply other threads:[~2018-10-17 23:36 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-31 14:05 [PATCH] hfs: fix array out of bounds read of array extent Colin King
2018-08-31 14:05 ` Colin King
2018-10-17 17:49 ` Ernesto A. Fernández
2018-10-17 17:49 ` Ernesto A. Fernández
[not found] ` <20181017150117.fef4f8d8e814aa2d25adba5e@linux-foundation.org>
2018-10-17 23:17 ` Al Viro
2018-10-17 23:17 ` Al Viro
2018-10-17 23:28 ` Ernesto A. Fernández
2018-10-17 23:28 ` Ernesto A. Fernández
2018-10-17 23:36 ` Viacheslav Dubeyko [this message]
2018-10-17 23:36 ` Viacheslav Dubeyko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1539819376.3188.6.camel@slavad-ubuntu-14.04 \
--to=slava@dubeyko.com \
--cc=akpm@linux-foundation.org \
--cc=colin.king@canonical.com \
--cc=dhowells@redhat.com \
--cc=ernesto.mnd.fernandez@gmail.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.