[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130815222650.GX6023@dastard>
Date: Fri, 16 Aug 2013 08:26:50 +1000
From: Dave Chinner <david@...morbit.com>
To: Ben Myers <bpm@....com>
Cc: Dan Carpenter <dan.carpenter@...cle.com>,
Jeff Liu <jeff.liu@...cle.com>, Alex Elder <elder@...nel.org>,
kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org,
xfs@....sgi.com
Subject: Re: [patch] xfs: check for underflow in xfs_iformat_fork()
On Thu, Aug 15, 2013 at 09:37:06AM -0500, Ben Myers wrote:
> Hey Dan & Jeff,
>
> On Thu, Aug 15, 2013 at 06:10:43PM +0800, Jeff Liu wrote:
> > On 08/15/2013 01:53 PM, Dan Carpenter wrote:
> >
> > > The "di_size" variable comes from the disk and it's a signed 64 bit.
> > > We check the upper limit but we should check for negative numbers as
> > > well.
> > >
> > > Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> > >
> > > diff --git a/fs/xfs/xfs_inode_fork.c b/fs/xfs/xfs_inode_fork.c
> > > index 123971b..849fc70 100644
> > > --- a/fs/xfs/xfs_inode_fork.c
> > > +++ b/fs/xfs/xfs_inode_fork.c
> > > @@ -167,7 +167,8 @@ xfs_iformat_fork(
> > > }
> > >
> > > di_size = be64_to_cpu(dip->di_size);
> > > - if (unlikely(di_size > XFS_DFORK_DSIZE(dip, ip->i_mount))) {
> > > + if (unlikely(di_size < 0 ||
> >
> > But the di_size is initialized to ZERO while allocating a new inode on disk.
> > I wonder if that is better to ASSERT in this case because the current check
> > is used to make sure that the item is inlined, or we don't need it at all.
>
> Hmm. Dan's additional check looks good to me. In this case I'd say the forced
> shutdown is more appropriate than an assert, because here we're reading the
> inode from disk, as opposed to looking at a structure that is already incore
> which we think we've initialized. We want to handle unexpected inputs from
> disk without crashing even if we are CONFIG_XFS_DEBUG.
There are lots of places where we only check di_size to be greater
than some value, and don't check for it being less than zero. Hence
I think that a better solution might be to di_size unsigned as that
will catch "negative" sizes for all types of situations.
We've got the same problem in the userspace code as well and so
treating the size as unsigned will stop such validation problems
everywhere....
Cheers,
Dave.
--
Dave Chinner
david@...morbit.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists