| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Dec 2016 11:32:38 -0700
From: Andreas Dilger <adilger@...ger.ca>
To: yi zhang <yi.zhang@...wei.com>
Cc: Ext4 Developers List <linux-ext4@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
linux-fsdevel@...r.kernel.org, tytso@....edu,
adilger.kernel@...ger.ca
Subject: Re: [RFC PATCH] ext4: increase the protection of drop nlink and ext4 inode destroy
On Dec 26, 2016, at 5:34 AM, yi zhang <yi.zhang@...wei.com> wrote:
>
> Because of the disk and hardware issue, the ext4 filesystem have
> many errors, the inode->i_nlink of ext4 becomes zero abnormally
> but the dentry is still positive, it will cause memory corruption
> after the following process:
>
> 1) Due to the inode->i_nlink is 0, this inode will be added into
> the orhpan list,
> 2) ext4_rename() cover this inode, and drop_nlink() will reverse
> the inode->i_nlink to 0xFFFFFFFF,
> 3) iput() add this inode to LRU,
> 4) evict() will call destroy_inode() to destroy this inode but
> skip removing it from the orphan list,
> 5) after this, the inode's memory address space will be used by
> other module, when the ext4 filesystem change the orphan list, it will
> trample other module's data and then may cause oops.
>
> Although we cannot avoid hardware and disk errors, we can control the
> softwore error in the ext4 module, do not affect other modules and
> increase the difficulty of locating problems.
>
> This patch avoid inode->i_nlink reverse and remove the inode form the
(typo) s/form/from/
> orphan list when destroy it if the list is not empty.
> Signed-off-by: yi zhang <yi.zhang@...wei.com>
> ---
> fs/ext4/super.c | 1 +
> fs/inode.c | 5 ++++-
> 2 files changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index 52b0530..617327e 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -975,6 +975,7 @@ static void ext4_destroy_inode(struct inode *inode)
> EXT4_I(inode), sizeof(struct ext4_inode_info),
> true);
> dump_stack();
> + ext4_orphan_del(NULL, inode);
> }
> call_rcu(&inode->i_rcu, ext4_i_callback);
> }
> diff --git a/fs/inode.c b/fs/inode.c
> index 88110fd..079d383 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -279,7 +279,10 @@ static void destroy_inode(struct inode *inode)
> */
> void drop_nlink(struct inode *inode)
> {
> - WARN_ON(inode->i_nlink == 0);
> + if (WARN(inode->i_nlink == 0, "inode %lu nlink"
> + " is already 0", inode->i_ino))
(style) the string should be kept on a single line instead of being
split, especially since it can fit easily.
(defect) this needs to have a newline.
if (WARN(inode->i_nlink == 0,
"inode %lu nlink is already 0\n", inode->i_ino))
Cheers, Andreas
> + return;
> +
> inode->__i_nlink--;
> if (!inode->i_nlink)
> atomic_long_inc(&inode->i_sb->s_remove_count);
> --
> 2.5.0
>
Cheers, Andreas
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists