* [PATCH] jffs2: add additinal sanity check for jffs2_acl_from_medium()
@ 2018-09-02 15:44 Chengguang Xu
2018-09-03 8:45 ` Richard Weinberger
0 siblings, 1 reply; 4+ messages in thread
From: Chengguang Xu @ 2018-09-02 15:44 UTC (permalink / raw)
To: dwmw2; +Cc: linux-mtd, Chengguang Xu
In the case ACL_USER and ACL_GROUP we check if value has exceeded end,
add same check in the case ACL_OTHER as well.
Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
---
fs/jffs2/acl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/jffs2/acl.c b/fs/jffs2/acl.c
index 093ffbd82395..fce32de3a18f 100644
--- a/fs/jffs2/acl.c
+++ b/fs/jffs2/acl.c
@@ -94,6 +94,8 @@ static struct posix_acl *jffs2_acl_from_medium(void *value, size_t size)
case ACL_MASK:
case ACL_OTHER:
value += sizeof(struct jffs2_acl_entry_short);
+ if (value > end)
+ goto fail;
break;
case ACL_USER:
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] jffs2: add additinal sanity check for jffs2_acl_from_medium()
2018-09-02 15:44 [PATCH] jffs2: add additinal sanity check for jffs2_acl_from_medium() Chengguang Xu
@ 2018-09-03 8:45 ` Richard Weinberger
2018-09-03 13:28 ` cgxu519
0 siblings, 1 reply; 4+ messages in thread
From: Richard Weinberger @ 2018-09-03 8:45 UTC (permalink / raw)
To: cgxu519; +Cc: David Woodhouse, linux-mtd @ lists . infradead . org
On Sun, Sep 2, 2018 at 5:45 PM Chengguang Xu <cgxu519@gmx.com> wrote:
>
> In the case ACL_USER and ACL_GROUP we check if value has exceeded end,
> add same check in the case ACL_OTHER as well.
Did you hit a problem in that area or was this found by review?
>From looking at the code I'd say it is fine as is.
In the ACL_MASK/_OTHER case we don't look into the entry object like
ACL_USER/_GROUP
do, we immediately break the switch and run another round in the for loop.
And here we do:
entry = value;
if (value + sizeof(struct jffs2_acl_entry_short) > end)
goto fail;
Which is what your additional check does. So, we'd check twice.
What do I miss?
> Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
> ---
> fs/jffs2/acl.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/jffs2/acl.c b/fs/jffs2/acl.c
> index 093ffbd82395..fce32de3a18f 100644
> --- a/fs/jffs2/acl.c
> +++ b/fs/jffs2/acl.c
> @@ -94,6 +94,8 @@ static struct posix_acl *jffs2_acl_from_medium(void *value, size_t size)
> case ACL_MASK:
> case ACL_OTHER:
> value += sizeof(struct jffs2_acl_entry_short);
> + if (value > end)
> + goto fail;
> break;
>
> case ACL_USER:
> --
> 2.17.1
>
>
> ______________________________________________________
> Linux MTD discussion mailing list
> http://lists.infradead.org/mailman/listinfo/linux-mtd/
--
Thanks,
//richard
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] jffs2: add additinal sanity check for jffs2_acl_from_medium()
2018-09-03 8:45 ` Richard Weinberger
@ 2018-09-03 13:28 ` cgxu519
2018-09-03 14:01 ` Richard Weinberger
0 siblings, 1 reply; 4+ messages in thread
From: cgxu519 @ 2018-09-03 13:28 UTC (permalink / raw)
To: Richard Weinberger; +Cc: David Woodhouse, linux-mtd @ lists . infradead . org
On 09/03/2018 04:45 PM, Richard Weinberger wrote:
> On Sun, Sep 2, 2018 at 5:45 PM Chengguang Xu <cgxu519@gmx.com> wrote:
>> In the case ACL_USER and ACL_GROUP we check if value has exceeded end,
>> add same check in the case ACL_OTHER as well.
> Did you hit a problem in that area or was this found by review?
> From looking at the code I'd say it is fine as is.
> In the ACL_MASK/_OTHER case we don't look into the entry object like
> ACL_USER/_GROUP
> do, we immediately break the switch and run another round in the for loop.
> And here we do:
> entry = value;
> if (value + sizeof(struct jffs2_acl_entry_short) > end)
> goto fail;
>
> Which is what your additional check does. So, we'd check twice.
> What do I miss?
You are right, it is actually not needed. Sorry, please just drop the patch.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] jffs2: add additinal sanity check for jffs2_acl_from_medium()
2018-09-03 13:28 ` cgxu519
@ 2018-09-03 14:01 ` Richard Weinberger
0 siblings, 0 replies; 4+ messages in thread
From: Richard Weinberger @ 2018-09-03 14:01 UTC (permalink / raw)
To: cgxu519, David Woodhouse; +Cc: linux-mtd
Am Montag, 3. September 2018, 15:28:31 CEST schrieb cgxu519:
> On 09/03/2018 04:45 PM, Richard Weinberger wrote:
> > On Sun, Sep 2, 2018 at 5:45 PM Chengguang Xu <cgxu519@gmx.com> wrote:
> >> In the case ACL_USER and ACL_GROUP we check if value has exceeded end,
> >> add same check in the case ACL_OTHER as well.
> > Did you hit a problem in that area or was this found by review?
> > From looking at the code I'd say it is fine as is.
> > In the ACL_MASK/_OTHER case we don't look into the entry object like
> > ACL_USER/_GROUP
> > do, we immediately break the switch and run another round in the for loop.
> > And here we do:
> > entry = value;
> > if (value + sizeof(struct jffs2_acl_entry_short) > end)
> > goto fail;
> >
> > Which is what your additional check does. So, we'd check twice.
> > What do I miss?
>
> You are right, it is actually not needed. Sorry, please just drop the patch.
No problem, that's why we have a review process. :-)
Thanks,
//richard
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-09-03 14:01 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-02 15:44 [PATCH] jffs2: add additinal sanity check for jffs2_acl_from_medium() Chengguang Xu
2018-09-03 8:45 ` Richard Weinberger
2018-09-03 13:28 ` cgxu519
2018-09-03 14:01 ` Richard Weinberger
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.