lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Tue, 28 Oct 2008 21:19:33 +0100 (CET)
From:	Geert Uytterhoeven <Geert.Uytterhoeven@...ycom.com>
To:	Michael Tokarev <mjt@....msk.ru>
cc:	Phillip Lougher <phillip@...gher.demon.co.uk>,
	akpm@...ux-foundation.org, linux-embedded@...r.kernel.org,
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
	tim.bird@...sony.com
Subject: Re: Subject: [PATCH 02/16] Squashfs: directory lookup operations

On Tue, 28 Oct 2008, Michael Tokarev wrote:
> Geert Uytterhoeven wrote:
> > On Fri, 17 Oct 2008, Phillip Lougher wrote:
> > > --- /dev/null
> > > +++ b/fs/squashfs/namei.c
> > 
> > > +static int get_dir_index_using_name(struct super_block *s,
> > > +			long long *next_block, unsigned int *next_offset,
> > > +			long long index_start, unsigned int index_offset,
> > > +			int i_count, const char *name, int len)
> > > +{
> > > +	struct squashfs_sb_info *msblk = s->s_fs_info;
> > > +	int i, size, length = 0;
> > > +	struct squashfs_dir_index *index;
> > > +	char *str;
> > > +
> > > +	TRACE("Entered get_dir_index_using_name, i_count %d\n", i_count);
> > > +
> > > +	str = kmalloc(sizeof(*index) + (SQUASHFS_NAME_LEN + 1) * 2,
> > > GFP_KERNEL);
> > > +	if (str == NULL) {
> > > +		ERROR("Failed to allocate squashfs_dir_index\n");
> > > +		goto out;
> > > +	}
> > > +
> > > +	index = (struct squashfs_dir_index *) (str + SQUASHFS_NAME_LEN + 1);
> > 
> > As str has been returned by kmalloc(), and SQUASHFS_NAME_LEN is equal to
> > 256,
> > `str + SQUASHFS_NAME_LEN + 1` is an odd address.
> > 
> [..]
> > > +		size = le32_to_cpu(index->size) + 1;
> >                                    ^^^^^^^^^^^
> [.]
> > Hence accessing multi-byte fields in struct squashfs_dir_index causes
> > unaligned
> > accesses, which are emulated on some architectures (e.g. on MIPS).
> > 
> > Use get_unaligned_le32() for unaligned accesses.
> 
> How about aligning it properly in the first place instead?
> Three ways:
> 
>   1) reordering index and str here, so that index comes first,
>      str next.
> 
>   2) using another constant instead of +1
> 
>   3) using separate allocations for separate objects.

You're right.

Somehow I was convinced this was part of the on-disk layout, so it could not be
changed. But that's not the case...

With kind regards,

Geert Uytterhoeven
Software Architect

Sony Techsoft Centre Europe
The Corporate Village · Da Vincilaan 7-D1 · B-1935 Zaventem · Belgium

Phone:    +32 (0)2 700 8453
Fax:      +32 (0)2 700 8622
E-mail:   Geert.Uytterhoeven@...ycom.com
Internet: http://www.sony-europe.com/

A division of Sony Europe (Belgium) N.V.
VAT BE 0413.825.160 · RPR Brussels
Fortis · BIC GEBABEBB · IBAN BE41293037680010

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ