lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 24 Sep 2012 18:17:42 +0200
From:	David Sterba <dave@...os.cz>
To:	Wang Sheng-Hui <shhuiw@...il.com>
Cc:	chris.mason@...ionio.com, jbacik@...ionio.com,
	linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: Btrfs: check range early in map_private_extent_buffer

On Mon, Sep 24, 2012 at 12:38:07PM +0800, Wang Sheng-Hui wrote:
> Check range early to avoid further check/compute in case
> of range error.
> 
> Signed-off-by: Wang Sheng-Hui <shhuiw@...il.com>
> ---
>  fs/btrfs/extent_io.c |   16 ++++++++--------
>  1 files changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> index 4c87847..9250cf5 100644
> --- a/fs/btrfs/extent_io.c
> +++ b/fs/btrfs/extent_io.c
> @@ -4643,6 +4643,14 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
>  	unsigned long end_i = (start_offset + start + min_len - 1) >>
>  		PAGE_CACHE_SHIFT;
>  
> +	if (start + min_len > eb->len) {
> +		printk(KERN_ERR "btrfs bad mapping eb start %llu len %lu, "
> +		       "wanted %lu %lu\n", (unsigned long long)eb->start,
> +		       eb->len, start, min_len);
> +		WARN_ON(1);
> +		return -EINVAL;
> +	}
> +
>  	if (i != end_i)
>  		return -EINVAL;

4665         unsigned long i = (start_offset + start) >> PAGE_CACHE_SHIFT;
4666         unsigned long end_i = (start_offset + start + min_len - 1) >>
4667                 PAGE_CACHE_SHIFT;

so the check above effectively verifies that

  min_len - 1 < PAGE_CACHE_SIZE
AND
  is within the same page

The other check

	if (start + min_len > eb->len) {

looks if the requested data do not lie out of the bounds of the extent
buffer, where min_len is filled with sizeof(something).

So, both the checks look for corrupted metadata, I don't see the need to
swap them.

david
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ