From: Lukas Czerner <lczerner@redhat.com>
To: Eric Sandeen <sandeen@sandeen.net>
Cc: Eric Sandeen <sandeen@redhat.com>,
"linux-ext4@vger.kernel.org" <linux-ext4@vger.kernel.org>
Subject: Re: [PATCH 1/1] ext4: fix potential negative array index in do_split()
Date: Fri, 19 Jun 2020 15:53:33 +0200 [thread overview]
Message-ID: <20200619135333.3idxuwhyax543ibt@work> (raw)
In-Reply-To: <be37a8fe-78a8-bcb6-8d30-d975fb1ec080@sandeen.net>
On Fri, Jun 19, 2020 at 08:44:19AM -0500, Eric Sandeen wrote:
> On 6/19/20 6:16 AM, Lukas Czerner wrote:
>
> >> The other possibility is that map[i].size is not right and indeed there
> >> seems to be a bug in dx_make_map()
> >>
> >> map_tail->size = le16_to_cpu(de->rec_len);
> >>
> >> should be
> >>
> >> map_tail->size = ext4_rec_len_from_disk(de->rec_len, blocksize));
> >>
> >> right ? Otherwise with large enough records the size will be smaller
> >> than it really is.
> >>
> >> A quick look at fs/ext4/namei.c reveals couple of places there rec_len
> >> is used without the conversion and we should check whether it needs
> >> fixing.
> >>
> >> -Lukas
> >
> > And indeed the following patch seems to have fixed the issue we were
> > seeing. Eric I think that this might be a proper fix. But we still need
> > to check the other uses of rec_len to make sure it's ok as well.
> >
> > diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
> > index 94ec882..5509fdc 100644
> > --- a/fs/ext4/namei.c
> > +++ b/fs/ext4/namei.c
> > @@ -1068,7 +1068,7 @@ static int dx_make_map(struct ext4_dir_entry_2 *de, unsigned blocksize,
> > map_tail--;
> > map_tail->hash = h.hash;
> > map_tail->offs = ((char *) de - base)>>2;
> > - map_tail->size = le16_to_cpu(de->rec_len);
> > + map_tail->size = ext4_rec_len_from_disk(le16_to_cpu(de->rec_len), blocksize);
>
> That isn't right, ext4_rec_len_from_disk /takes/ an __le16 :)
>
> - map_tail->size = le16_to_cpu(de->rec_len);
> + map_tail->size = ext4_rec_len_from_disk(de->rec_len), blocksize);
Yep, my bad.
>
> would be more correct, but won't matter for PAGE_SIZE < 65536 right?
True, it's not the problem we're seeing.
-Lukas
>
> -Eric
>
next prev parent reply other threads:[~2020-06-19 13:53 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-17 19:01 [PATCH 0/1] ext4: fix potential negative array index in do_split Eric Sandeen
2020-06-17 19:19 ` [PATCH 1/1] ext4: fix potential negative array index in do_split() Eric Sandeen
2020-06-19 0:33 ` Andreas Dilger
2020-06-19 6:41 ` Lukas Czerner
2020-06-19 7:08 ` Lukas Czerner
2020-06-19 11:16 ` Lukas Czerner
2020-06-19 13:44 ` Eric Sandeen
2020-06-19 13:53 ` Lukas Czerner [this message]
2020-06-19 13:42 ` Eric Sandeen
2020-06-19 13:49 ` Lukas Czerner
2020-06-19 13:39 ` Eric Sandeen
2020-07-08 16:09 ` Jan Kara
2020-07-30 1:48 ` tytso
2020-06-19 2:31 ` [PATCH 0/1] ext4: fix potential negative array index in do_split Andreas Dilger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200619135333.3idxuwhyax543ibt@work \
--to=lczerner@redhat.com \
--cc=linux-ext4@vger.kernel.org \
--cc=sandeen@redhat.com \
--cc=sandeen@sandeen.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).