[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20060721170627.4cbea27d.akpm@osdl.org>
Date: Fri, 21 Jul 2006 17:06:27 -0700
From: Andrew Morton <akpm@...l.org>
To: Neil Brown <neilb@...e.de>
Cc: jack@...e.cz, 20@...ingley.org, marcel@...tmann.org,
linux-kernel@...r.kernel.org, sct@...hat.com,
"Theodore Ts'o" <tytso@....edu>,
Andreas Dilger <adilger@...sterfs.com>
Subject: Re: Bad ext3/nfs DoS bug
On Fri, 21 Jul 2006 16:39:32 +1000
Neil Brown <neilb@...e.de> wrote:
> Avoid triggering ext3_error on bad NFS file handle
>
> The inode number out of an NFS file handle gets passed
> eventually to ext3_get_inode_block without any checking.
> If ext3_get_inode_block allows it to trigger a error,
> then bad filehandles can have unpleasant effect.
>
> So remove the call to ext3_error there and put a matching
> check in ext3/namei.c where inode numbers are read of storage.
>
There are strange things happening in here.
> +static inline int ext3_valid_inum(struct super_block *sb, unsigned long ino)
> +{
> + return ino == EXT3_ROOT_INO ||
> + ino == EXT3_JOURNAL_INO ||
> + ino == EXT3_RESIZE_INO ||
> + (ino > EXT3_FIRST_INO(sb) &&
> + ino <= le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count));
> +}
One would expect the inode validity test to be
(ino >= EXT3_FIRST_INO(sb)) && (ino < ...->s_inodes_count))
but even this assumes that s_inodes_count is misnamed and really should be
called s_last_inode_plus_one. If it is not misnamed then the validity test
should be
(ino >= EXT3_FIRST_INO(sb)) &&
(ino < EXT3_FIRST_INO(sb) + ...->s_inodes_count))
Look through the filesystem for other uses of EXT3_FIRST_INO(). It's all
rather fishily inconsistent.
Ted, Andreas: do you think we could come up with statements describing
exactly what the values in EXT3_FIRST_INO() and in ->s_inodes_count
represent? Thanks.
Also Neil, I wonder whether this patch of yours still permits NFS clients
to access the journal and resize inodes in undesirable ways?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists