| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20241206172828.3219989-6-cascardo@igalia.com>
Date: Fri, 6 Dec 2024 14:28:28 -0300
From: Thadeu Lima de Souza Cascardo <cascardo@...lia.com>
To: linux-ext4@...r.kernel.org
Cc: "Theodore Ts'o" <tytso@....edu>,
Andreas Dilger <adilger.kernel@...ger.ca>,
linux-kernel@...r.kernel.org,
kernel-dev@...lia.com,
Thadeu Lima de Souza Cascardo <cascardo@...lia.com>
Subject: [PATCH 5/5] ext4: make i_inline_off point to data
Instead of having i_inline_off pointing to the xattr entry, make it point
directly to the value offset. That will allow e_value_offs to be ignored,
preventing many issues where it might have changed on disk after being
validated.
This prevents many potential out-of-bound accesses.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@...lia.com>
---
fs/ext4/inline.c | 35 +++++++++++------------------------
1 file changed, 11 insertions(+), 24 deletions(-)
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index cd2014af9823..92e300c3f873 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -133,7 +133,12 @@ static void ext4_update_inline_off_size(struct inode *inode,
struct ext4_inode *raw_inode,
struct ext4_xattr_entry *entry)
{
- EXT4_I(inode)->i_inline_off = (u16)((void *)entry - (void *)raw_inode);
+ struct ext4_xattr_ibody_header *header;
+ void *off;
+
+ header = IHDR(inode, raw_inode);
+ off = (void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs);
+ EXT4_I(inode)->i_inline_off = (u16)(off - (void *)raw_inode);
EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +
le32_to_cpu(entry->e_value_size);
}
@@ -184,8 +189,6 @@ static int ext4_read_inline_data(struct inode *inode, void *buffer,
unsigned int len,
struct ext4_iloc *iloc)
{
- struct ext4_xattr_entry *entry;
- struct ext4_xattr_ibody_header *header;
int cp_len = 0;
struct ext4_inode *raw_inode;
@@ -205,14 +208,7 @@ static int ext4_read_inline_data(struct inode *inode, void *buffer,
if (!len)
goto out;
- header = IHDR(inode, raw_inode);
- entry = (struct ext4_xattr_entry *)((void *)raw_inode +
- EXT4_I(inode)->i_inline_off);
- len = min_t(unsigned int, len,
- (unsigned int)le32_to_cpu(entry->e_value_size));
-
- memcpy(buffer,
- (void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs), len);
+ memcpy(buffer, (void *)raw_inode + EXT4_I(inode)->i_inline_off, len);
cp_len += len;
out:
@@ -273,8 +269,6 @@ static int ext4_read_inline_data_from_inode(struct inode *inode, void **buffer,
static void ext4_write_inline_data(struct inode *inode, struct ext4_iloc *iloc,
void *buffer, loff_t pos, unsigned int len)
{
- struct ext4_xattr_entry *entry;
- struct ext4_xattr_ibody_header *header;
struct ext4_inode *raw_inode;
int cp_len = 0;
@@ -301,11 +295,8 @@ static void ext4_write_inline_data(struct inode *inode, struct ext4_iloc *iloc,
return;
pos -= EXT4_MIN_INLINE_DATA_SIZE;
- header = IHDR(inode, raw_inode);
- entry = (struct ext4_xattr_entry *)((void *)raw_inode +
- EXT4_I(inode)->i_inline_off);
- memcpy((void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs) + pos,
+ memcpy((void *)raw_inode + EXT4_I(inode)->i_inline_off + pos,
buffer, len);
}
@@ -1085,16 +1076,12 @@ static int ext4_add_dirent_to_inline(handle_t *handle,
static void *ext4_get_inline_xattr_pos(struct inode *inode,
struct ext4_iloc *iloc)
{
- struct ext4_xattr_entry *entry;
- struct ext4_xattr_ibody_header *header;
+ struct ext4_inode *raw_inode;
BUG_ON(!EXT4_I(inode)->i_inline_off);
- header = IHDR(inode, ext4_raw_inode(iloc));
- entry = (struct ext4_xattr_entry *)((void *)ext4_raw_inode(iloc) +
- EXT4_I(inode)->i_inline_off);
-
- return (void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs);
+ raw_inode = ext4_raw_inode(iloc);
+ return (void *)raw_inode + EXT4_I(inode)->i_inline_off;
}
/* Set the final de to cover the whole block. */
--
2.34.1
Powered by blists - more mailing lists