lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1901841E-AE43-4AE2-B8F0-8F745B00664F@dilger.ca>
Date:   Tue, 28 Jan 2020 18:23:18 -0700
From:   Andreas Dilger <adilger@...ger.ca>
To:     Matthew Wilcox <willy@...radead.org>
Cc:     linux-ext4 <linux-ext4@...r.kernel.org>,
        Tiezhu Yang <yangtiezhu@...ngson.cn>,
        "Theodore Y. Ts'o" <tytso@....edu>, Chao Yu <yuchao0@...wei.com>,
        linux-fscrypt@...r.kernel.org,
        linux-fsdevel <linux-fsdevel@...r.kernel.org>
Subject: Re: [PATCH v4] fs: introduce is_dot_or_dotdot helper for cleanup

On Jan 28, 2020, at 3:11 PM, Matthew Wilcox <willy@...radead.org> wrote:
> 
> 
> I've tried to get Ted's opinion on this a few times with radio silence.
> Or email is broken.  Anyone else care to offer an opinion?

Maybe I'm missing something, but I think the discussion of the len == 0
case is now moot, since PATCH v6 (which is the latest version that I can
find) is checking for "len >= 1" before accessing name[0]:

+static inline bool is_dot_or_dotdot(const unsigned char *name, size_t len)
+{
+	if (len >= 1 && unlikely(name[0] == '.')) {
+		if (len == 1 || (len == 2 && name[1] == '.'))
+			return true;
+	}
+
+	return false;
+}

This seems a tiny bit sub-optimal, as (len >= 1) is true for almost every
filename, so it doesn't allow failing the condition quickly.  Checking
for exactly (len == 1) and (len == 2) allows failing this condition for
most of the files immediately, which makes "unlikely()" actually useful,
and allows simplifying the inside condition.

static inline bool is_dot_or_dotdot(const unsigned char *name, size_t len)
{
	if (unlikely((len == 1 || len == 2) && name[0] == '.')) {
		if (len == 1 || name[1] == '.')
			return true;
	}

	return false;
}

That said, this is at best micro-optimization so it isn't obvious this is
much of an improvement or not.

Cheers, Andreas

> On Mon, Dec 30, 2019 at 06:13:03AM -0800, Matthew Wilcox wrote:
>> 
>> Didn't see a response from you on this.  Can you confirm the three
>> cases in ext4 mentioned below should be converted to return -EUNCLEAN?
>> 
>> ----- Forwarded message from Matthew Wilcox <willy@...radead.org> -----
>> 
>> Date: Thu, 12 Dec 2019 10:13:02 -0800
>> From: Matthew Wilcox <willy@...radead.org>
>> To: Eric Biggers <ebiggers@...nel.org>
>> Cc: Tiezhu Yang <yangtiezhu@...ngson.cn>, Alexander Viro
>> 	<viro@...iv.linux.org.uk>, "Theodore Y. Ts'o" <tytso@....edu>, Jaegeuk
>> 	Kim <jaegeuk@...nel.org>, Chao Yu <yuchao0@...wei.com>, Tyler Hicks
>> 	<tyhicks@...onical.com>, linux-fsdevel@...r.kernel.org,
>> 	ecryptfs@...r.kernel.org, linux-fscrypt@...r.kernel.org,
>> 	linux-f2fs-devel@...ts.sourceforge.net, linux-kernel@...r.kernel.org
>> Subject: Re: [PATCH v4] fs: introduce is_dot_or_dotdot helper for cleanup
>> User-Agent: Mutt/1.12.1 (2019-06-15)
>> 
>> On Tue, Dec 10, 2019 at 11:19:13AM -0800, Eric Biggers wrote:
>>>> +static inline bool is_dot_or_dotdot(const unsigned char *name, size_t len)
>>>> +{
>>>> +	if (unlikely(name[0] == '.')) {
>>>> +		if (len < 2 || (len == 2 && name[1] == '.'))
>>>> +			return true;
>>>> +	}
>>>> +
>>>> +	return false;
>>>> +}
>>> 
>>> This doesn't handle the len=0 case.  Did you check that none of the users pass
>>> in zero-length names?  It looks like fscrypt_fname_disk_to_usr() can, if the
>>> directory entry on-disk has a zero-length name.  Currently it will return
>>> -EUCLEAN in that case, but with this patch it may think it's the name ".".
>> 
>> Trying to wrench this back on track ...
>> 
>> fscrypt_fname_disk_to_usr is called by:
>> 
>> fscrypt_get_symlink():
>>       if (cstr.len == 0)
>>                return ERR_PTR(-EUCLEAN);
>> ext4_readdir():
>> 	Does not currently check de->name_len.  I believe this check should
>> 	be added to __ext4_check_dir_entry() because a zero-length directory
>> 	entry can affect both encrypted and non-encrypted directory entries.
>> dx_show_leaf():
>> 	Same as ext4_readdir().  Should probably call ext4_check_dir_entry()?
>> htree_dirblock_to_tree():
>> 	Would be covered by a fix to ext4_check_dir_entry().
>> f2fs_fill_dentries():
>> 	if (de->name_len == 0) {
>> 		...
>> ubifs_readdir():
>> 	Does not currently check de->name_len.  Also affects non-encrypted
>> 	directory entries.
>> 
>> So of the six callers, two of them already check the dirent length for
>> being zero, and four of them ought to anyway, but don't.  I think they
>> should be fixed, but clearly we don't historically check for this kind
>> of data corruption (strangely), so I don't think that's a reason to hold
>> up this patch until the individual filesystems are fixed.
>> 
>> ----- End forwarded message -----
> 
> ----- End forwarded message -----


Cheers, Andreas






Download attachment "signature.asc" of type "application/pgp-signature" (874 bytes)

Powered by blists - more mailing lists