lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5154F67A.8020401@tao.ma> Date: Fri, 29 Mar 2013 10:03:38 +0800 From: Tao Ma <tm@....ma> To: Zach Brown <zab@...hat.com> CC: linux-ext4@...r.kernel.org Subject: Re: [PATCH 2/2] ext4: Handle readdir when a file is converted from inline to block based. On 03/29/2013 02:44 AM, Zach Brown wrote: >> Zach reported that if a dir is inlined, the offset is within the inode, while >> if we have done the conversion, the dir now will have a block offset or even >> a hashed pos. The good thing is that ext4 is also prepared to handle some >> situation that the dir is changed during many calls of getdents. > > This doesn't fix the problem. The problem isn't using the right code > path within ext4 for either inline or normal block directories. > > The problem is that offsets for existing files change. Yeah, ext4 also > has this problem when it converts from classic linear dirents to hashed > dirents, but I bet that basically doesn't happen any more. Inline dirs > are making the problem happen for every single directory as it grows. Thanks for the explanation. I just looked deep into the problem and yes, the code is really tricky for an old linear dir. Now it also uses the ext4_dx_readdir, so the situation you described doesn't happen... Maybe I will also need to pretend as if inline dir is hashed like the normal linear dir and return the hash value as the pos. Thanks, Tao > > There's two ways to experience the bug: > > 1) nfs clients getting the wrong entry because the offset has changed > from the time that they got it from the server > > 2) more worryingly: a concurrent readdir() can see duplicate entries > from simply advancing f_pos as it does normally > > Here's a quick little demonstration of the second case: > > d_off: 2 d_name: ., f_pos 2 > d_off: 4 d_name: .., f_pos 4 > d_off: 16 d_name: a, f_pos 16 > d_off: 28 d_name: b, f_pos 28 > d_off: 40 d_name: c, f_pos 40 > d_off: 371778706554281332 d_name: .., f_pos 18446744071750344052 > d_off: 1068979911240654558 d_name: b, f_pos 18446744072795659998 > d_off: 6187216788877381273 d_name: c, f_pos 1633586841 > d_off: 6280769109141524706 d_name: e, f_pos 1386254562 > > Run the following in a newly created empty dir with inline_data: > > #include <stdlib.h> > #include <dirent.h> > #include <stdio.h> > #include <sys/types.h> > #include <sys/stat.h> > #include <fcntl.h> > #include <errno.h> > #include <string.h> > #include <sys/syscall.h> > > struct linux_dirent { > long d_ino; > off_t d_off; > unsigned short d_reclen; > char d_name[]; > }; > > int main(int argc, char **argv) > { > struct linux_dirent dent; > char name[2] = {0,}; > int i; > int ret; > int fd; > > fd = open(".", O_RDONLY | O_DIRECTORY); > if (fd < 0) { > printf("open(\".\", O_RDONLY|O_DIRECTORY) failed: %u (%s)\n", > errno, strerror(errno)); > exit(1); > } > > for (i = 0; i < 26; i++) { > name[0] = 'a' + i; > mknod(name, S_IFREG|0755, 0); > ret = syscall(SYS_getdents, fd, &dent, sizeof(dent)); > if (ret < 1) > break; > printf("d_off: %llu d_name: %s, f_pos %llu\n", > (unsigned long long)dent.d_off, > dent.d_name, > (unsigned long long)lseek(fd, 0, SEEK_CUR)); > } > > return 0; > } > -- > To unsubscribe from this list: send the line "unsubscribe linux-ext4" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists