* [PATCH] staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()
@ 2019-03-28 20:14 ` Gao Xiang
0 siblings, 0 replies; 7+ messages in thread
From: Gao Xiang @ 2019-03-28 20:14 UTC (permalink / raw)
To: Chao Yu, Greg Kroah-Hartman
Cc: devel, linux-erofs, LKML, chao, weidu.du, Miao Xie, Gao Xiang, # 4 . 19+
From: Gao Xiang <gaoxiang25@huawei.com>
After commit 419d6efc50e9, kernel cannot be crashed in the namei
path. However, corrupted nameoff can do harm in the process of
readdir for scenerios without dm-verity as well. Fix it now.
Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations")
Cc: <stable@vger.kernel.org> # 4.19+
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
---
The remaining work of
https://lore.kernel.org/linux-fsdevel/20181102194235.GA32577@ZenIV.linux.org.uk/
and the patch had been staying in my private repo for a while.
I'd like to get it reviewed now and fixed.
Thanks,
Gao Xiang
drivers/staging/erofs/dir.c | 45 +++++++++++++++++++++++++--------------------
1 file changed, 25 insertions(+), 20 deletions(-)
diff --git a/drivers/staging/erofs/dir.c b/drivers/staging/erofs/dir.c
index 829f7b12e0dc..9bbc68729c11 100644
--- a/drivers/staging/erofs/dir.c
+++ b/drivers/staging/erofs/dir.c
@@ -23,6 +23,21 @@ static const unsigned char erofs_filetype_table[EROFS_FT_MAX] = {
[EROFS_FT_SYMLINK] = DT_LNK,
};
+static void debug_one_dentry(unsigned char d_type, const char *de_name,
+ unsigned int de_namelen)
+{
+#ifdef CONFIG_EROFS_FS_DEBUG
+ /* since the on-disk name could not have the trailing '\0' */
+ unsigned char dbg_namebuf[EROFS_NAME_LEN + 1];
+
+ memcpy(dbg_namebuf, de_name, de_namelen);
+ dbg_namebuf[de_namelen] = '\0';
+
+ debugln("found dirent %s de_len %u d_type %d", dbg_namebuf,
+ de_namelen, d_type);
+#endif
+}
+
static int erofs_fill_dentries(struct dir_context *ctx,
void *dentry_blk, unsigned int *ofs,
unsigned int nameoff, unsigned int maxsize)
@@ -33,14 +48,10 @@ static int erofs_fill_dentries(struct dir_context *ctx,
de = dentry_blk + *ofs;
while (de < end) {
const char *de_name;
- int de_namelen;
+ unsigned int de_namelen;
unsigned char d_type;
-#ifdef CONFIG_EROFS_FS_DEBUG
- unsigned int dbg_namelen;
- unsigned char dbg_namebuf[EROFS_NAME_LEN];
-#endif
- if (unlikely(de->file_type < EROFS_FT_MAX))
+ if (de->file_type < EROFS_FT_MAX)
d_type = erofs_filetype_table[de->file_type];
else
d_type = DT_UNKNOWN;
@@ -48,26 +59,20 @@ static int erofs_fill_dentries(struct dir_context *ctx,
nameoff = le16_to_cpu(de->nameoff);
de_name = (char *)dentry_blk + nameoff;
- de_namelen = unlikely(de + 1 >= end) ?
- /* last directory entry */
- strnlen(de_name, maxsize - nameoff) :
- le16_to_cpu(de[1].nameoff) - nameoff;
+ /* the last dirent in the block? */
+ if (de + 1 >= end)
+ de_namelen = strnlen(de_name, maxsize - nameoff);
+ else
+ de_namelen = le16_to_cpu(de[1].nameoff) - nameoff;
/* a corrupted entry is found */
- if (unlikely(de_namelen < 0)) {
+ if (unlikely(nameoff + de_namelen > maxsize ||
+ de_namelen > EROFS_NAME_LEN)) {
DBG_BUGON(1);
return -EIO;
}
-#ifdef CONFIG_EROFS_FS_DEBUG
- dbg_namelen = min(EROFS_NAME_LEN - 1, de_namelen);
- memcpy(dbg_namebuf, de_name, dbg_namelen);
- dbg_namebuf[dbg_namelen] = '\0';
-
- debugln("%s, found de_name %s de_len %d d_type %d", __func__,
- dbg_namebuf, de_namelen, d_type);
-#endif
-
+ debug_one_dentry(d_type, de_name, de_namelen);
if (!dir_emit(ctx, de_name, de_namelen,
le64_to_cpu(de->nid), d_type))
/* stopped by some reason */
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH] staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()
@ 2019-03-28 20:14 ` Gao Xiang
0 siblings, 0 replies; 7+ messages in thread
From: Gao Xiang @ 2019-03-28 20:14 UTC (permalink / raw)
From: Gao Xiang <gaoxiang25@huawei.com>
After commit 419d6efc50e9, kernel cannot be crashed in the namei
path. However, corrupted nameoff can do harm in the process of
readdir for scenerios without dm-verity as well. Fix it now.
Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations")
Cc: <stable at vger.kernel.org> # 4.19+
Signed-off-by: Gao Xiang <gaoxiang25 at huawei.com>
---
The remaining work of
https://lore.kernel.org/linux-fsdevel/20181102194235.GA32577 at ZenIV.linux.org.uk/
and the patch had been staying in my private repo for a while.
I'd like to get it reviewed now and fixed.
Thanks,
Gao Xiang
drivers/staging/erofs/dir.c | 45 +++++++++++++++++++++++++--------------------
1 file changed, 25 insertions(+), 20 deletions(-)
diff --git a/drivers/staging/erofs/dir.c b/drivers/staging/erofs/dir.c
index 829f7b12e0dc..9bbc68729c11 100644
--- a/drivers/staging/erofs/dir.c
+++ b/drivers/staging/erofs/dir.c
@@ -23,6 +23,21 @@ static const unsigned char erofs_filetype_table[EROFS_FT_MAX] = {
[EROFS_FT_SYMLINK] = DT_LNK,
};
+static void debug_one_dentry(unsigned char d_type, const char *de_name,
+ unsigned int de_namelen)
+{
+#ifdef CONFIG_EROFS_FS_DEBUG
+ /* since the on-disk name could not have the trailing '\0' */
+ unsigned char dbg_namebuf[EROFS_NAME_LEN + 1];
+
+ memcpy(dbg_namebuf, de_name, de_namelen);
+ dbg_namebuf[de_namelen] = '\0';
+
+ debugln("found dirent %s de_len %u d_type %d", dbg_namebuf,
+ de_namelen, d_type);
+#endif
+}
+
static int erofs_fill_dentries(struct dir_context *ctx,
void *dentry_blk, unsigned int *ofs,
unsigned int nameoff, unsigned int maxsize)
@@ -33,14 +48,10 @@ static int erofs_fill_dentries(struct dir_context *ctx,
de = dentry_blk + *ofs;
while (de < end) {
const char *de_name;
- int de_namelen;
+ unsigned int de_namelen;
unsigned char d_type;
-#ifdef CONFIG_EROFS_FS_DEBUG
- unsigned int dbg_namelen;
- unsigned char dbg_namebuf[EROFS_NAME_LEN];
-#endif
- if (unlikely(de->file_type < EROFS_FT_MAX))
+ if (de->file_type < EROFS_FT_MAX)
d_type = erofs_filetype_table[de->file_type];
else
d_type = DT_UNKNOWN;
@@ -48,26 +59,20 @@ static int erofs_fill_dentries(struct dir_context *ctx,
nameoff = le16_to_cpu(de->nameoff);
de_name = (char *)dentry_blk + nameoff;
- de_namelen = unlikely(de + 1 >= end) ?
- /* last directory entry */
- strnlen(de_name, maxsize - nameoff) :
- le16_to_cpu(de[1].nameoff) - nameoff;
+ /* the last dirent in the block? */
+ if (de + 1 >= end)
+ de_namelen = strnlen(de_name, maxsize - nameoff);
+ else
+ de_namelen = le16_to_cpu(de[1].nameoff) - nameoff;
/* a corrupted entry is found */
- if (unlikely(de_namelen < 0)) {
+ if (unlikely(nameoff + de_namelen > maxsize ||
+ de_namelen > EROFS_NAME_LEN)) {
DBG_BUGON(1);
return -EIO;
}
-#ifdef CONFIG_EROFS_FS_DEBUG
- dbg_namelen = min(EROFS_NAME_LEN - 1, de_namelen);
- memcpy(dbg_namebuf, de_name, dbg_namelen);
- dbg_namebuf[dbg_namelen] = '\0';
-
- debugln("%s, found de_name %s de_len %d d_type %d", __func__,
- dbg_namebuf, de_namelen, d_type);
-#endif
-
+ debug_one_dentry(d_type, de_name, de_namelen);
if (!dir_emit(ctx, de_name, de_namelen,
le64_to_cpu(de->nid), d_type))
/* stopped by some reason */
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()
2019-03-28 20:14 ` Gao Xiang
@ 2019-03-29 6:28 ` Chao Yu
-1 siblings, 0 replies; 7+ messages in thread
From: Chao Yu @ 2019-03-29 6:28 UTC (permalink / raw)
To: Gao Xiang, Greg Kroah-Hartman
Cc: devel, linux-erofs, LKML, chao, weidu.du, Miao Xie, Gao Xiang, # 4 . 19+
On 2019/3/29 4:14, Gao Xiang wrote:
> From: Gao Xiang <gaoxiang25@huawei.com>
>
> After commit 419d6efc50e9, kernel cannot be crashed in the namei
> path. However, corrupted nameoff can do harm in the process of
> readdir for scenerios without dm-verity as well. Fix it now.
>
> Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations")
> Cc: <stable@vger.kernel.org> # 4.19+
> Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Thanks,
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()
@ 2019-03-29 6:28 ` Chao Yu
0 siblings, 0 replies; 7+ messages in thread
From: Chao Yu @ 2019-03-29 6:28 UTC (permalink / raw)
On 2019/3/29 4:14, Gao Xiang wrote:
> From: Gao Xiang <gaoxiang25 at huawei.com>
>
> After commit 419d6efc50e9, kernel cannot be crashed in the namei
> path. However, corrupted nameoff can do harm in the process of
> readdir for scenerios without dm-verity as well. Fix it now.
>
> Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations")
> Cc: <stable at vger.kernel.org> # 4.19+
> Signed-off-by: Gao Xiang <gaoxiang25 at huawei.com>
Reviewed-by: Chao Yu <yuchao0 at huawei.com>
Thanks,
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()
2019-03-28 20:14 ` Gao Xiang
(?)
(?)
@ 2019-03-30 13:45 ` Sasha Levin
2019-04-01 7:11 ` Gao Xiang
-1 siblings, 1 reply; 7+ messages in thread
From: Sasha Levin @ 2019-03-30 13:45 UTC (permalink / raw)
Hi,
[This is an automated email]
This commit has been processed because it contains a "Fixes:" tag,
fixing commit: 3aa8ec716e52 staging: erofs: add directory operations.
The bot has tested the following trees: v5.0.5, v4.19.32.
v5.0.5: Build OK!
v4.19.32: Failed to apply! Possible dependencies:
6e78901a9f23 ("staging: erofs: separate erofs_get_meta_page")
7dd68b147d60 ("staging: erofs: use explicit unsigned int type")
8be31270362b ("staging: erofs: introduce erofs_grab_bio")
ab47dd2b0819 ("staging: erofs: cleanup z_erofs_vle_work_{lookup, register}")
How should we proceed with this patch?
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()
2019-03-30 13:45 ` Sasha Levin
@ 2019-04-01 7:11 ` Gao Xiang
0 siblings, 0 replies; 7+ messages in thread
From: Gao Xiang @ 2019-04-01 7:11 UTC (permalink / raw)
To: Sasha Levin; +Cc: Gao Xiang, Chao Yu, devel, linux-erofs, stable
Hi,
On 2019/3/30 21:45, Sasha Levin wrote:
> Hi,
>
> [This is an automated email]
>
> This commit has been processed because it contains a "Fixes:" tag,
> fixing commit: 3aa8ec716e52 staging: erofs: add directory operations.
>
> The bot has tested the following trees: v5.0.5, v4.19.32.
>
> v5.0.5: Build OK!
> v4.19.32: Failed to apply! Possible dependencies:
> 6e78901a9f23 ("staging: erofs: separate erofs_get_meta_page")
> 7dd68b147d60 ("staging: erofs: use explicit unsigned int type")
> 8be31270362b ("staging: erofs: introduce erofs_grab_bio")
> ab47dd2b0819 ("staging: erofs: cleanup z_erofs_vle_work_{lookup, register}")
>
>
> How should we proceed with this patch?
I have made a 4.19 patch for this:
https://lore.kernel.org/lkml/20190401065309.68109-2-gaoxiang25@huawei.com/
Thanks,
Gao Xiang
>
> --
> Thanks,
> Sasha
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()
@ 2019-04-01 7:11 ` Gao Xiang
0 siblings, 0 replies; 7+ messages in thread
From: Gao Xiang @ 2019-04-01 7:11 UTC (permalink / raw)
Hi,
On 2019/3/30 21:45, Sasha Levin wrote:
> Hi,
>
> [This is an automated email]
>
> This commit has been processed because it contains a "Fixes:" tag,
> fixing commit: 3aa8ec716e52 staging: erofs: add directory operations.
>
> The bot has tested the following trees: v5.0.5, v4.19.32.
>
> v5.0.5: Build OK!
> v4.19.32: Failed to apply! Possible dependencies:
> 6e78901a9f23 ("staging: erofs: separate erofs_get_meta_page")
> 7dd68b147d60 ("staging: erofs: use explicit unsigned int type")
> 8be31270362b ("staging: erofs: introduce erofs_grab_bio")
> ab47dd2b0819 ("staging: erofs: cleanup z_erofs_vle_work_{lookup, register}")
>
>
> How should we proceed with this patch?
I have made a 4.19 patch for this:
https://lore.kernel.org/lkml/20190401065309.68109-2-gaoxiang25 at huawei.com/
Thanks,
Gao Xiang
>
> --
> Thanks,
> Sasha
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-04-01 7:11 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-28 20:14 [PATCH] staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir() Gao Xiang
2019-03-28 20:14 ` Gao Xiang
2019-03-29 6:28 ` Chao Yu
2019-03-29 6:28 ` Chao Yu
2019-03-30 13:45 ` Sasha Levin
2019-04-01 7:11 ` Gao Xiang
2019-04-01 7:11 ` Gao Xiang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.