lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 21 Jul 2006 17:06:27 -0700
From:	Andrew Morton <akpm@...l.org>
To:	Neil Brown <neilb@...e.de>
Cc:	jack@...e.cz, 20@...ingley.org, marcel@...tmann.org,
	linux-kernel@...r.kernel.org, sct@...hat.com,
	"Theodore Ts'o" <tytso@....edu>,
	Andreas Dilger <adilger@...sterfs.com>
Subject: Re: Bad ext3/nfs DoS bug

On Fri, 21 Jul 2006 16:39:32 +1000
Neil Brown <neilb@...e.de> wrote:

> Avoid triggering ext3_error on bad NFS file handle
> 
> The inode number out of an NFS file handle gets passed 
> eventually to ext3_get_inode_block without any checking.
> If ext3_get_inode_block allows it to trigger a error,
> then bad filehandles can have unpleasant effect.
> 
> So remove the call to ext3_error there and put a matching
> check in ext3/namei.c where inode numbers are read of storage.
> 

There are strange things happening in here.

> +static inline int ext3_valid_inum(struct super_block *sb, unsigned long ino)
> +{
> +	return ino == EXT3_ROOT_INO ||
> +		ino == EXT3_JOURNAL_INO ||
> +		ino == EXT3_RESIZE_INO ||
> +		(ino > EXT3_FIRST_INO(sb) &&
> +		 ino <= le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count));
> +}

One would expect the inode validity test to be

	(ino >= EXT3_FIRST_INO(sb)) && (ino < ...->s_inodes_count))

but even this assumes that s_inodes_count is misnamed and really should be
called s_last_inode_plus_one.  If it is not misnamed then the validity test
should be

	(ino >= EXT3_FIRST_INO(sb)) &&
		(ino < EXT3_FIRST_INO(sb) + ...->s_inodes_count))

Look through the filesystem for other uses of EXT3_FIRST_INO().  It's all
rather fishily inconsistent.

Ted, Andreas: do you think we could come up with statements describing
exactly what the values in EXT3_FIRST_INO() and in ->s_inodes_count
represent?  Thanks.


Also Neil, I wonder whether this patch of yours still permits NFS clients
to access the journal and resize inodes in undesirable ways?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists