lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20221206015806.3420321-3-yebin@huaweicloud.com>
Date:   Tue,  6 Dec 2022 09:58:02 +0800
From:   Ye Bin <yebin@...weicloud.com>
To:     tytso@....edu, adilger.kernel@...ger.ca, linux-ext4@...r.kernel.org
Cc:     linux-kernel@...r.kernel.org, jack@...e.cz,
        Ye Bin <yebin10@...wei.com>
Subject: [PATCH -next 2/6] ext4: add primary check extended attribute inode in ext4_xattr_check_entries()

From: Ye Bin <yebin10@...wei.com>

Add primary check for extended attribute inode, only do hash check when read
ea_inode's data in ext4_xattr_inode_get().

Signed-off-by: Ye Bin <yebin10@...wei.com>
---
 fs/ext4/xattr.c | 41 ++++++++++++++++++++++++++++++++++++-----
 1 file changed, 36 insertions(+), 5 deletions(-)

diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 718ef3987f94..eed001eee3ec 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -83,6 +83,9 @@ static __le32 ext4_xattr_hash_entry(char *name, size_t name_len, __le32 *value,
 				    size_t value_count);
 static void ext4_xattr_rehash(struct ext4_xattr_header *);
 
+static int ext4_xattr_inode_iget(struct inode *parent, unsigned long ea_ino,
+				 u32 ea_inode_hash, struct inode **ea_inode);
+
 static const struct xattr_handler * const ext4_xattr_handler_map[] = {
 	[EXT4_XATTR_INDEX_USER]		     = &ext4_xattr_user_handler,
 #ifdef CONFIG_EXT4_FS_POSIX_ACL
@@ -181,9 +184,32 @@ ext4_xattr_handler(int name_index)
 	return handler;
 }
 
+static inline int ext4_xattr_check_extra_inode(struct inode *inode,
+					       struct ext4_xattr_entry *entry)
+{
+	int err;
+	struct inode *ea_inode;
+
+	err = ext4_xattr_inode_iget(inode, le32_to_cpu(entry->e_value_inum),
+				    le32_to_cpu(entry->e_hash), &ea_inode);
+	if (err)
+		return err;
+
+	if (i_size_read(ea_inode) != le32_to_cpu(entry->e_value_size)) {
+		ext4_warning_inode(ea_inode,
+                           "ea_inode file size=%llu entry size=%u",
+                           i_size_read(ea_inode),
+			   le32_to_cpu(entry->e_value_size));
+		err = -EFSCORRUPTED;
+	}
+	iput(ea_inode);
+
+	return err;
+}
+
 static int
-ext4_xattr_check_entries(struct ext4_xattr_entry *entry, void *end,
-			 void *value_start)
+ext4_xattr_check_entries(struct inode *inode, struct ext4_xattr_entry *entry,
+			 void *end, void *value_start)
 {
 	struct ext4_xattr_entry *e = entry;
 
@@ -221,6 +247,10 @@ ext4_xattr_check_entries(struct ext4_xattr_entry *entry, void *end,
 			    size > end - value ||
 			    EXT4_XATTR_SIZE(size) > end - value)
 				return -EFSCORRUPTED;
+		} else if (entry->e_value_inum) {
+			int err = ext4_xattr_check_extra_inode(inode, entry);
+			if (err)
+				return err;
 		}
 		entry = EXT4_XATTR_NEXT(entry);
 	}
@@ -243,8 +273,8 @@ __ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh,
 	error = -EFSBADCRC;
 	if (!ext4_xattr_block_csum_verify(inode, bh))
 		goto errout;
-	error = ext4_xattr_check_entries(BFIRST(bh), bh->b_data + bh->b_size,
-					 bh->b_data);
+	error = ext4_xattr_check_entries(inode, BFIRST(bh),
+					 bh->b_data + bh->b_size, bh->b_data);
 errout:
 	if (error)
 		__ext4_error_inode(inode, function, line, 0, -error,
@@ -268,7 +298,8 @@ __xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
 	if (end - (void *)header < sizeof(*header) + sizeof(u32) ||
 	    (header->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC)))
 		goto errout;
-	error = ext4_xattr_check_entries(IFIRST(header), end, IFIRST(header));
+	error = ext4_xattr_check_entries(inode, IFIRST(header), end,
+					 IFIRST(header));
 errout:
 	if (error)
 		__ext4_error_inode(inode, function, line, 0, -error,
-- 
2.31.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ