* [PATCH] ubifs: Fix potentially out-of-bounds memory access in ubifs_dump_node
@ 2019-12-16 15:44 Liu Song
2020-01-12 22:49 ` Richard Weinberger
0 siblings, 1 reply; 3+ messages in thread
From: Liu Song @ 2019-12-16 15:44 UTC (permalink / raw)
To: richard; +Cc: linux-mtd, linux-kernel, liu.song11
From: Liu Song <liu.song11@zte.com.cn>
In “ubifs_check_node”, when “node_len + offs> c-> leb_size”, then
goto label of "out_len". Then, in the following "ubifs_dump_node",
if inode type is "UBIFS_DATA_NODE", in "print_hex_dump", an
out-of-bounds access may occur due to the wrong "ch->len".
We encountered this problem in our environment. If "ch-> len" is
very large, it may even cause the kernel to crash.
There are three reasons to choose to remove "print_hex_dump".
1) As mentioned earlier, the exception "ch-> len" may cause an
exception in "print_hex_dump";
2) Data nodes are often large. When printing data content in
"print_hex_dump", a large amount of output will bring a high load
on the system, and may even cause a watchdog reset;
3) Even if there is a CRC check error, the stuff of file is difficult
to identify, and difficult to find the problem from a large amount of
output. We have already output the LEB and offset of the node. So we
can take the initiative to view the data of interest, instead of
printing it directly.
Signed-off-by: Liu Song <liu.song11@zte.com.cn>
---
fs/ubifs/debug.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/fs/ubifs/debug.c b/fs/ubifs/debug.c
index 0f5a480fe264..e9fc6f0daec8 100644
--- a/fs/ubifs/debug.c
+++ b/fs/ubifs/debug.c
@@ -476,9 +476,6 @@ void ubifs_dump_node(const struct ubifs_info *c, const void *node)
pr_err("\tcompr_typ %d\n",
(int)le16_to_cpu(dn->compr_type));
pr_err("\tdata size %d\n", dlen);
- pr_err("\tdata:\n");
- print_hex_dump(KERN_ERR, "\t", DUMP_PREFIX_OFFSET, 32, 1,
- (void *)&dn->data, dlen, 0);
break;
}
case UBIFS_TRUN_NODE:
--
2.20.1
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] ubifs: Fix potentially out-of-bounds memory access in ubifs_dump_node
2019-12-16 15:44 [PATCH] ubifs: Fix potentially out-of-bounds memory access in ubifs_dump_node Liu Song
@ 2020-01-12 22:49 ` Richard Weinberger
0 siblings, 0 replies; 3+ messages in thread
From: Richard Weinberger @ 2020-01-12 22:49 UTC (permalink / raw)
To: Liu Song; +Cc: Richard Weinberger, linux-mtd, LKML, liu.song11
On Mon, Dec 16, 2019 at 4:45 PM Liu Song <fishland@aliyun.com> wrote:
>
> From: Liu Song <liu.song11@zte.com.cn>
>
> In “ubifs_check_node”, when “node_len + offs> c-> leb_size”, then
> goto label of "out_len". Then, in the following "ubifs_dump_node",
> if inode type is "UBIFS_DATA_NODE", in "print_hex_dump", an
> out-of-bounds access may occur due to the wrong "ch->len".
> We encountered this problem in our environment. If "ch-> len" is
> very large, it may even cause the kernel to crash.
>
> There are three reasons to choose to remove "print_hex_dump".
> 1) As mentioned earlier, the exception "ch-> len" may cause an
> exception in "print_hex_dump";
> 2) Data nodes are often large. When printing data content in
> "print_hex_dump", a large amount of output will bring a high load
> on the system, and may even cause a watchdog reset;
> 3) Even if there is a CRC check error, the stuff of file is difficult
> to identify, and difficult to find the problem from a large amount of
> output. We have already output the LEB and offset of the node. So we
> can take the initiative to view the data of interest, instead of
> printing it directly.
If UBIFS dumps data nodes due an error we are already in deep trouble
and having the content of bad data nodes can be helpful.
This feature helped me more than once to debug issues.
--
Thanks,
//richard
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply [flat|nested] 3+ messages in thread
[parent not found: <20191216154441.6648-1-fishland@aliyun.com, CAFLxGvyU=zh23vkYiAGRzyd4LGJodLwRRa1S03THAoSaSL=dGA@mail.gmail.com>]
end of thread, other threads:[~2020-01-13 7:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-16 15:44 [PATCH] ubifs: Fix potentially out-of-bounds memory access in ubifs_dump_node Liu Song
2020-01-12 22:49 ` Richard Weinberger
[not found] <20191216154441.6648-1-fishland@aliyun.com, CAFLxGvyU=zh23vkYiAGRzyd4LGJodLwRRa1S03THAoSaSL=dGA@mail.gmail.com>
[not found] ` <202001131229371470661@zte.com.cn>
2020-01-13 7:54 ` Richard Weinberger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).