lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130815222650.GX6023@dastard>
Date:	Fri, 16 Aug 2013 08:26:50 +1000
From:	Dave Chinner <david@...morbit.com>
To:	Ben Myers <bpm@....com>
Cc:	Dan Carpenter <dan.carpenter@...cle.com>,
	Jeff Liu <jeff.liu@...cle.com>, Alex Elder <elder@...nel.org>,
	kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org,
	xfs@....sgi.com
Subject: Re: [patch] xfs: check for underflow in xfs_iformat_fork()

On Thu, Aug 15, 2013 at 09:37:06AM -0500, Ben Myers wrote:
> Hey Dan & Jeff,
> 
> On Thu, Aug 15, 2013 at 06:10:43PM +0800, Jeff Liu wrote:
> > On 08/15/2013 01:53 PM, Dan Carpenter wrote:
> > 
> > > The "di_size" variable comes from the disk and it's a signed 64 bit.
> > > We check the upper limit but we should check for negative numbers as
> > > well.
> > > 
> > > Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> > > 
> > > diff --git a/fs/xfs/xfs_inode_fork.c b/fs/xfs/xfs_inode_fork.c
> > > index 123971b..849fc70 100644
> > > --- a/fs/xfs/xfs_inode_fork.c
> > > +++ b/fs/xfs/xfs_inode_fork.c
> > > @@ -167,7 +167,8 @@ xfs_iformat_fork(
> > >  			}
> > >  
> > >  			di_size = be64_to_cpu(dip->di_size);
> > > -			if (unlikely(di_size > XFS_DFORK_DSIZE(dip, ip->i_mount))) {
> > > +			if (unlikely(di_size < 0 ||
> > 
> > But the di_size is initialized to ZERO while allocating a new inode on disk.
> > I wonder if that is better to ASSERT in this case because the current check
> > is used to make sure that the item is inlined, or we don't need it at all.
> 
> Hmm.  Dan's additional check looks good to me.  In this case I'd say the forced
> shutdown is more appropriate than an assert, because here we're reading the
> inode from disk, as opposed to looking at a structure that is already incore
> which we think we've initialized.  We want to handle unexpected inputs from
> disk without crashing even if we are CONFIG_XFS_DEBUG.

There are lots of places where we only check di_size to be greater
than some value, and don't check for it being less than zero. Hence
I think that a better solution might be to di_size unsigned as that
will catch "negative" sizes for all types of situations.

We've got the same problem in the userspace code as well and so
treating the size as unsigned will stop such validation problems
everywhere....

Cheers,

Dave.
-- 
Dave Chinner
david@...morbit.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ