| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200619064122.vj346xptid5viogv@work>
Date: Fri, 19 Jun 2020 08:41:22 +0200
From: Lukas Czerner <lczerner@...hat.com>
To: Eric Sandeen <sandeen@...hat.com>
Cc: "linux-ext4@...r.kernel.org" <linux-ext4@...r.kernel.org>
Subject: Re: [PATCH 1/1] ext4: fix potential negative array index in
do_split()
On Wed, Jun 17, 2020 at 02:19:04PM -0500, Eric Sandeen wrote:
> If for any reason a directory passed to do_split() does not have enough
> active entries to exceed half the size of the block, we can end up
> iterating over all "count" entries without finding a split point.
>
> In this case, count == move, and split will be zero, and we will
> attempt a negative index into map[].
>
> Guard against this by detecting this case, and falling back to
> split-to-half-of-count instead; in this case we will still have
> plenty of space (> half blocksize) in each split block.
>
> Fixes: ef2b02d3e617 ("ext34: ensure do_split leaves enough free space in both blocks")
> Signed-off-by: Eric Sandeen <sandeen@...hat.com>
> ---
>
> diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
> index a8aca4772aaa..8b60881f07ee 100644
> --- a/fs/ext4/namei.c
> +++ b/fs/ext4/namei.c
> @@ -1858,7 +1858,7 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir,
> blocksize, hinfo, map);
> map -= count;
> dx_sort_map(map, count);
> - /* Split the existing block in the middle, size-wise */
> + /* Ensure that neither split block is over half full */
> size = 0;
> move = 0;
> for (i = count-1; i >= 0; i--) {
> @@ -1868,8 +1868,18 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir,
> size += map[i].size;
> move++;
> }
> - /* map index at which we will split */
> - split = count - move;
> + /*
> + * map index at which we will split
> + *
> + * If the sum of active entries didn't exceed half the block size, just
> + * split it in half by count; each resulting block will have at least
> + * half the space free.
> + */
> + if (i > 0)
> + split = count - move;
> + else
> + split = count/2;
Won't we have exactly the same problem as we did before your commit
ef2b02d3e617cb0400eedf2668f86215e1b0e6af ? Since we do not know how much
space we actually moved we might have not made enough space for the new
entry ?
Also since we have the move == count when the problem appears then it's
clear that we never hit the condition
1865 → → /* is more than half of this entry in 2nd half of the block? */
1866 → → if (size + map[i].size/2 > blocksize/2)
1867 → → → break;
in the loop. This is surprising but it means the the entries must have
gaps between them that are small enough that we can't fit the entry
right in ? Should not we try to compact it before splitting, or is it
the case that this should have been done somewhere else ?
If we really want ot be fair and we want to split it right in the middle
of the entries size-wise then we need to keep track of of sum of the
entries and decide based on that, not blocksize/2. But maybe the problem
could be solved by compacting the entries together because the condition
seems to rely on that.
-Lukas
> +
> hash2 = map[split].hash;
> continued = hash2 == map[split - 1].hash;
> dxtrace(printk(KERN_INFO "Split block %lu at %x, %i/%i\n",
>
>
Powered by blists - more mailing lists