lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <A695FC57-D150-42A9-9E55-32DC8D1AED76@dilger.ca>
Date:   Mon, 11 Feb 2019 13:38:59 -0700
From:   Andreas Dilger <adilger@...ger.ca>
To:     Dan Carpenter <dan.carpenter@...cle.com>
Cc:     Theodore Ts'o <tytso@....edu>,
        Ext4 Developers List <linux-ext4@...r.kernel.org>,
        kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] ext4: prevent very high s_inode_readahead_blks

On Feb 11, 2019, at 11:44 AM, Dan Carpenter <dan.carpenter@...cle.com> wrote:
> 
> My static checker complains that "arg" can be negative.  That does seem
> possible.  I don't know if it causes an issue at run time but it seems
> safest to allow negatives.

The option declaration requires that "arg" be greater than zero:

        {Opt_inode_readahead_blks, 2, MOPT_GTE0},

and this is checked earlier in handle_mount_opt():

        if (args->from && (m->flags & MOPT_GTE0) && (arg < 0))
                return -1;

but I agree that having false static checking warnings is annoying
and potentially also hides other issues.

> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> ---
> fs/ext4/super.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index 60da0a6e4d86..4e0845708c52 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -1838,7 +1838,7 @@ static int handle_mount_opt(struct super_block *sb,
> 	} else if (token == Opt_min_batch_time) {
> 		sbi->s_min_batch_time = arg;
> 	} else if (token == Opt_inode_readahead_blks) {
> -		if (arg && (arg > (1 << 30) || !is_power_of_2(arg))) {
> +		if (arg && (arg > (1U << 30) || !is_power_of_2(arg))) {

This may "fix" the problem by virtue of implicitly forcing an unsigned
comparison, but doesn't necessarily make the issue more obvious to the
reader.

That said, it doesn't look like _any_ use of "arg" allows a negative
value, regardless of whether MOPT_GTE0 is set or not, so we should
just declare arg as an unsigned int or explicitly refuse all negatives:

	if (args->from && !(m->flags & MOPT_STRING)) {
		if (match_int(args, &arg))
			return -1;
		if (arg < 0)
			return -1;
	}

This should keep the static checker happy, since the only place that
"arg" is set away from zero it is also verified not to be negative.
At that point it would also be possible to remove MOPT_GTE0 completely.

Cheers, Andreas






Download attachment "signature.asc" of type "application/pgp-signature" (874 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ