lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Fri, 2 Dec 2022 00:12:24 +0800
From:   "yebin (H)" <>
To:     Theodore Ts'o <>, Ye Bin <>
CC:     <>, <>,
        <>, <>,
Subject: Re: [PATCH v2] ext4: fix WARNING in ext4_expand_extra_isize_ea

On 2022/12/2 0:00, Theodore Ts'o wrote:
> On Thu, Dec 01, 2022 at 10:59:23PM +0800, Ye Bin wrote:
>> Reason is allocate 16M memory by kmalloc, but MAX_ORDER is 11, kmalloc
>> can allocate maxium size memory is 4M.
>> XATTR_SIZE_MAX is currently 64k, but EXT4_XATTR_SIZE_MAX is '(1 << 24)',
>> so 'ext4_xattr_check_entries()' regards this length as legal. Then trigger
>> warning in 'ext4_xattr_move_to_block()'.
>> To solve above issue, according to Jan Kara's suggestion use kvmalloc()
>> to allocate memory in ext4_xattr_move_to_block().
> See my comment to the v1 version of the patch.  I suspect the real
> problem is that the e_value_size is completely bogus, and we should
> have checked it much earlier in the stack call trace, via a call to
> xattr_check_inode().
Yes, Not only the e_value_size is wrong, but also the inode is wrong:
EXT4-fs: Ignoring removed nobh option
EXT4-fs error (device loop0): ext4_xattr_inode_iget:389: comm rep: inode 
#1: comm rep: iget: illegal inode #
EXT4-fs error (device loop0): ext4_xattr_inode_iget:392: comm rep: error 
while reading EA inode 1 err=-117
EXT4-fs warning (device loop0): ext4_expand_extra_isize_ea:2788: Unable 
to expand inode 15. Delete some EAs or run e2fsck.

Maybe we can do follow check  in ext4_xattr_check_entries() when 
"entry->e_value_inum != 0".
err = ext4_xattr_inode_iget(inode, le32_to_cpu(entry->e_value_inum),
                             le32_to_cpu(entry->e_hash), &ea_inode);
if (err) {
         ea_inode = NULL;
         goto out;

if (i_size_read(ea_inode) != size) {
                            "ea_inode file size=%llu entry size=%zu",
                            i_size_read(ea_inode), size);
         err = -EFSCORRUPTED;
         goto out;
> Cheers,
> 					- Ted
> .

Powered by blists - more mailing lists