lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 May 2022 21:44:31 +0800 From: Baokun Li <libaokun1@...wei.com> To: Jan Kara <jack@...e.cz> CC: <lczerner@...hat.com>, <linux-ext4@...r.kernel.org>, <tytso@....edu>, <adilger.kernel@...ger.ca>, <ritesh.list@...il.com>, <linux-kernel@...r.kernel.org>, <yi.zhang@...wei.com>, <yebin10@...wei.com>, <yukuai3@...wei.com>, Baokun Li <libaokun1@...wei.com> Subject: Re: [PATCH 2/2] ext4: correct the judgment of BUG in ext4_mb_normalize_request 在 2022/5/24 17:30, Jan Kara 写道: > On Mon 23-05-22 21:04:16, libaokun (A) wrote: >> 在 2022/5/23 17:40, Jan Kara 写道: >>> On Sat 21-05-22 21:42:17, Baokun Li wrote: >>>> When either of the "start + size <= ac->ac_o_ex.fe_logical" or >>>> "start > ac->ac_o_ex.fe_logical" conditions is met, it indicates >>>> that the fe_logical is not in the allocated range. >>>> In this case, it should be bug_ON. >>>> >>>> Fixes: dfe076c106f6 ("ext4: get rid of code duplication") >>>> Signed-off-by: Baokun Li<libaokun1@...wei.com> >>> I think this is actually wrong. The original condition checks whether >>> start + size does not overflow the used integer type. Your condition is >>> much stronger and I don't think it always has to be true. E.g. allocation >>> goal block (start variable) can be pushed to larger values by existing >>> preallocation or so. >>> >>> Honza >>> >> I think there are two reasons for this: >> >> First of all, the code here is as follows. >> ``` >> size = end - start; >> [...] >> if (start + size <= ac->ac_o_ex.fe_logical && >> start > ac->ac_o_ex.fe_logical) { >> ext4_msg(ac->ac_sb, KERN_ERR, >> "start %lu, size %lu, fe_logical %lu", >> (unsigned long) start, (unsigned long) size, >> (unsigned long) ac->ac_o_ex.fe_logical); >> BUG(); >> } >> BUG_ON(size <= 0 || size > EXT4_BLOCKS_PER_GROUP(ac->ac_sb)); >> ``` >> First of all, there is no need to compare with ac_o_ex.fe_logical if it is >> to determine whether there is an overflow. >> Because the previous logic guarantees start < = ac_o_ex.fe_logical, and > How does it guarantee that? The logic: > > if (ar->pleft && start <= ar->lleft) { > size -= ar->lleft + 1 - start; > start = ar->lleft + 1; > } > > can move 'start' to further blocks... This is not the case. According to the code of the preceding process, ar->pleft and ar->pright are assigned values in ext4_ext_map_blocks. ar->pleft is the first allocated block found to the left by map->m_lblk (that is, fe_logical), and ar->pright is the first allocated block found to the right. ar->lleft and ar->lright are logical block numbers, so there must be "ar->lleft < ac_o_ex.fe_logical < ar->lright". > >> limits the scope of size in >> "BUG_ON (size < = 0 | | size > EXT4_BLOCKS_PER_GROUP (ac- > ac_sb))" >> immediately following. > OK, but what guarantees that ac_o_ex.fe_logical < UINT_MAX - size? When ac_o_ex.fe_logical is too large to overflow, predict filesize enters the last branch. In this case, start = ac->ac_o_ex.fe_logical and size = ac->ac_o_ex.fe_len. However, the overflow is checked in ext4_ext_check_overlap of ext4_ext_map_blocks. The code is as follows: ``` 1898 /* check for wrap through zero on extent logical start block*/ 1899 if (b1 + len1 < b1) { 1900 len1 = EXT_MAX_BLOCKS - b1; 1901 newext->ee_len = cpu_to_le16(len1); 1902 ret = 1; 1903 } ``` Therefore, no overflow occurs. > >> Secondly, the following code flow also reflects this logic. >> >> ext4_mb_normalize_request >> >>> start + size <= ac->ac_o_ex.fe_logical >> ext4_mb_regular_allocator >> ext4_mb_simple_scan_group >> ext4_mb_use_best_found >> ext4_mb_new_preallocation >> ext4_mb_new_inode_pa >> ext4_mb_use_inode_pa >> >>> set ac->ac_b_ex.fe_len <= 0 >> ext4_mb_mark_diskspace_used >> >>> BUG_ON(ac->ac_b_ex.fe_len <= 0); >> >> In ext4_mb_use_inode_pa, you have the following code. >> ``` >> start = pa->pa_pstart + (ac->ac_o_ex.fe_logical - pa->pa_lstart); >> end = min(pa->pa_pstart + EXT4_C2B(sbi, pa->pa_len), start + EXT4_C2B(sbi, >> ac->ac_o_ex.fe_len)); >> len = EXT4_NUM_B2C(sbi, end - start); >> ac->ac_b_ex.fe_len = len; >> ``` >> The starting position in ext4_mb_mark_diskspace_used will be assert. >> BUG_ON(ac->ac_b_ex.fe_len <= 0); >> >> When end == start + EXT4_C2B(sbi, ac->ac_o_ex.fe_len) is used, the value of >> end - start must be greater than 0. >> However, when end == pa->pa_pstart + EXT4_C2B(sbi, pa->pa_len) occurs, this >> bug_ON may be triggered. >> When this bug_ON is triggered, that is, >> >> ac->ac_b_ex.fe_len <= 0 >> end - start <= 0 >> end <= start >> pa->pa_pstart + EXT4_C2B(sbi, pa->pa_len) <= pa->pa_pstart + >> (ac->ac_o_ex.fe_logical - pa->pa_lstart) >> pa->pa_len <= ac->ac_o_ex.fe_logical - pa->pa_lstart >> pa->pa_lstart + pa->pa_len <= ac->ac_o_ex.fe_logical >> start + size <= ac->ac_o_ex.fe_logical >> >> So I think that "&&" here should be changed to "||". > Sorry, I still disagree. After some more code reading I agree that > ac->ac_o_ex.fe_logical is the logical block where we want allocated blocks > to be placed in the inode so logical extent of allocated blocks should include > ac->ac_o_ex.fe_logical. But I would be reluctant to make assertion you > suggest unless we make sure ac->ac_o_ex.fe_logical in unallocated (in which > case we can also remove some other code from ext4_mb_normalize_request()). > > Honza > What codes are you referring to that can be deleted? -- With Best Regards, Baokun Li
Powered by blists - more mailing lists