From: Viacheslav Dubeyko <slava@dubeyko.com> To: Andrew Morton <akpm@linux-foundation.org> Cc: Colin King <colin.king@canonical.com>, linux-fsdevel@vger.kernel.org, dhowells@redhat.com, viro@zeniv.linux.org.uk, kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org, "Ernesto A.Fernndez" <ernesto.mnd.fernandez@gmail.com> Subject: Re: [PATCH] hfs: fix array out of bounds read of array extent Date: Wed, 17 Oct 2018 16:36:16 -0700 [thread overview] Message-ID: <1539819376.3188.6.camel@slavad-ubuntu-14.04> (raw) In-Reply-To: <20181017150117.fef4f8d8e814aa2d25adba5e@linux-foundation.org> On Wed, 2018-10-17 at 15:01 -0700, Andrew Morton wrote: > On Fri, 31 Aug 2018 15:05:38 +0100 Colin King <colin.king@canonical.com> wrote: > > > From: Colin Ian King <colin.king@canonical.com> > > > > Currently extent and index i are both being incremented causing > > an array out of bounds read on extent[i]. Fix this by removing > > the extraneous increment of extent. > > > > Detected by CoverityScan, CID#711541 ("Out of bounds read") > > > > Fixes: d1081202f1d0 ("HFS rewrite") > > No such commit here. I assume this is 7cb74be6fd827e314f8. > > > --- a/fs/hfs/extent.c > > +++ b/fs/hfs/extent.c > > @@ -300,7 +300,7 @@ int hfs_free_fork(struct super_block *sb, struct hfs_cat_file *file, int type) > > return 0; > > > > blocks = 0; > > - for (i = 0; i < 3; extent++, i++) By the way, the hfs_free_extents() has the same logic [1] of for (i = 0; i < 3; extent++, i++). It looks like that the bug is not fixed yet. Did anyone test this patch? What's the real reproduction path for the bug? Thanks, Vyacheslav Dubeyko. [1] https://elixir.bootlin.com/linux/latest/source/fs/hfs/extent.c#L251 > > + for (i = 0; i < 3; i++) > > blocks += be16_to_cpu(extent[i].count); > > > > res = hfs_free_extents(sb, extent, blocks, blocks); > > Well, that's quite the bug. Question is, why didn't anyone notice it. > What are the runtime effects? A disk space leak, perhaps? > > I worry a bit that, given the fs was evidently working "ok", perhaps > this error was corrected elsewhere in the code and that "fixing" this > site will have unexpected and undesirable runtime effects. Can someone > help me out here?
WARNING: multiple messages have this Message-ID (diff)
From: Viacheslav Dubeyko <slava@dubeyko.com> To: Andrew Morton <akpm@linux-foundation.org> Cc: Colin King <colin.king@canonical.com>, linux-fsdevel@vger.kernel.org, dhowells@redhat.com, viro@zeniv.linux.org.uk, kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org, "Ernesto A.Fernndez" <ernesto.mnd.fernandez@gmail.com> Subject: Re: [PATCH] hfs: fix array out of bounds read of array extent Date: Wed, 17 Oct 2018 23:36:16 +0000 [thread overview] Message-ID: <1539819376.3188.6.camel@slavad-ubuntu-14.04> (raw) In-Reply-To: <20181017150117.fef4f8d8e814aa2d25adba5e@linux-foundation.org> On Wed, 2018-10-17 at 15:01 -0700, Andrew Morton wrote: > On Fri, 31 Aug 2018 15:05:38 +0100 Colin King <colin.king@canonical.com> wrote: > > > From: Colin Ian King <colin.king@canonical.com> > > > > Currently extent and index i are both being incremented causing > > an array out of bounds read on extent[i]. Fix this by removing > > the extraneous increment of extent. > > > > Detected by CoverityScan, CID#711541 ("Out of bounds read") > > > > Fixes: d1081202f1d0 ("HFS rewrite") > > No such commit here. I assume this is 7cb74be6fd827e314f8. > > > --- a/fs/hfs/extent.c > > +++ b/fs/hfs/extent.c > > @@ -300,7 +300,7 @@ int hfs_free_fork(struct super_block *sb, struct hfs_cat_file *file, int type) > > return 0; > > > > blocks = 0; > > - for (i = 0; i < 3; extent++, i++) By the way, the hfs_free_extents() has the same logic [1] of for (i = 0; i < 3; extent++, i++). It looks like that the bug is not fixed yet. Did anyone test this patch? What's the real reproduction path for the bug? Thanks, Vyacheslav Dubeyko. [1] https://elixir.bootlin.com/linux/latest/source/fs/hfs/extent.c#L251 > > + for (i = 0; i < 3; i++) > > blocks += be16_to_cpu(extent[i].count); > > > > res = hfs_free_extents(sb, extent, blocks, blocks); > > Well, that's quite the bug. Question is, why didn't anyone notice it. > What are the runtime effects? A disk space leak, perhaps? > > I worry a bit that, given the fs was evidently working "ok", perhaps > this error was corrected elsewhere in the code and that "fixing" this > site will have unexpected and undesirable runtime effects. Can someone > help me out here?
next prev parent reply other threads:[~2018-10-17 23:36 UTC|newest] Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-08-31 14:05 [PATCH] hfs: fix array out of bounds read of array extent Colin King 2018-08-31 14:05 ` Colin King 2018-10-17 17:49 ` Ernesto A. Fernández 2018-10-17 17:49 ` Ernesto A. Fernández [not found] ` <20181017150117.fef4f8d8e814aa2d25adba5e@linux-foundation.org> 2018-10-17 23:17 ` Al Viro 2018-10-17 23:17 ` Al Viro 2018-10-17 23:28 ` Ernesto A. Fernández 2018-10-17 23:28 ` Ernesto A. Fernández 2018-10-17 23:36 ` Viacheslav Dubeyko [this message] 2018-10-17 23:36 ` Viacheslav Dubeyko
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1539819376.3188.6.camel@slavad-ubuntu-14.04 \ --to=slava@dubeyko.com \ --cc=akpm@linux-foundation.org \ --cc=colin.king@canonical.com \ --cc=dhowells@redhat.com \ --cc=ernesto.mnd.fernandez@gmail.com \ --cc=kernel-janitors@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=viro@zeniv.linux.org.uk \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.