lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 21 Jul 2006 17:06:27 -0700 From: Andrew Morton <akpm@...l.org> To: Neil Brown <neilb@...e.de> Cc: jack@...e.cz, 20@...ingley.org, marcel@...tmann.org, linux-kernel@...r.kernel.org, sct@...hat.com, "Theodore Ts'o" <tytso@....edu>, Andreas Dilger <adilger@...sterfs.com> Subject: Re: Bad ext3/nfs DoS bug On Fri, 21 Jul 2006 16:39:32 +1000 Neil Brown <neilb@...e.de> wrote: > Avoid triggering ext3_error on bad NFS file handle > > The inode number out of an NFS file handle gets passed > eventually to ext3_get_inode_block without any checking. > If ext3_get_inode_block allows it to trigger a error, > then bad filehandles can have unpleasant effect. > > So remove the call to ext3_error there and put a matching > check in ext3/namei.c where inode numbers are read of storage. > There are strange things happening in here. > +static inline int ext3_valid_inum(struct super_block *sb, unsigned long ino) > +{ > + return ino == EXT3_ROOT_INO || > + ino == EXT3_JOURNAL_INO || > + ino == EXT3_RESIZE_INO || > + (ino > EXT3_FIRST_INO(sb) && > + ino <= le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count)); > +} One would expect the inode validity test to be (ino >= EXT3_FIRST_INO(sb)) && (ino < ...->s_inodes_count)) but even this assumes that s_inodes_count is misnamed and really should be called s_last_inode_plus_one. If it is not misnamed then the validity test should be (ino >= EXT3_FIRST_INO(sb)) && (ino < EXT3_FIRST_INO(sb) + ...->s_inodes_count)) Look through the filesystem for other uses of EXT3_FIRST_INO(). It's all rather fishily inconsistent. Ted, Andreas: do you think we could come up with statements describing exactly what the values in EXT3_FIRST_INO() and in ->s_inodes_count represent? Thanks. Also Neil, I wonder whether this patch of yours still permits NFS clients to access the journal and resize inodes in undesirable ways? - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists