lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 07 Jul 2014 09:24:05 +0800
From:	Chao Yu <chao2.yu@...sung.com>
To:	'Jaegeuk Kim' <jaegeuk@...nel.org>
Cc:	'Changman Lee' <cm224.lee@...sung.com>,
	linux-f2fs-devel@...ts.sourceforge.net,
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: RE: [f2fs-dev][PATCH 1/2] f2fs: check name_len of dir entry to prevent
 from deadloop

Hi Jaegeuk,

> -----Original Message-----
> From: Jaegeuk Kim [mailto:jaegeuk@...nel.org]
> Sent: Saturday, July 05, 2014 2:43 PM
> To: Chao Yu
> Cc: Changman Lee; linux-f2fs-devel@...ts.sourceforge.net; linux-fsdevel@...r.kernel.org;
> linux-kernel@...r.kernel.org
> Subject: Re: [f2fs-dev][PATCH 1/2] f2fs: check name_len of dir entry to prevent from deadloop
> 
> Hi Chao,
> 
> On Wed, Jul 02, 2014 at 01:23:47PM +0800, Chao Yu wrote:
> > We assume that modification of some special application could result in zeroed
> > name_len, or it is consciously made by somebody. We will deadloop in
> > find_in_block when name_len of dir entry is zero.
> 
> Could you explain this a little bit more?
> I'm not sure how it can happen.

IMO,
On one hand, programs like mkfs/fsck/img2simg and f2fs could directly operate
the raw device, so bugs of these software may be triggered to generate the
corrupt data such as zeroed name_len.
On the other hand, it' could be treated as a potential security problem, because
user could crafted such a malicious image include zeroed name_len for hacking purpose.
Once such special image is being mounted, deadloop could be triggered, finally will
result in effecting on linux system's running.

Thanks,
Yu

> I think the zeroed name_len would cause some problems in f2fs_add_link.
> 
> Thanks,
> 
> >
> > This patch is added for preventing deadloop in above scenario.
> >
> > Signed-off-by: Chao Yu <chao2.yu@...sung.com>
> > ---
> >  fs/f2fs/dir.c |   10 ++++++++++
> >  1 file changed, 10 insertions(+)
> >
> > diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
> > index be8c7af..4316ec5 100644
> > --- a/fs/f2fs/dir.c
> > +++ b/fs/f2fs/dir.c
> > @@ -121,6 +121,16 @@ static struct f2fs_dir_entry *find_in_block(struct page *dentry_page,
> >  			}
> >  		}
> >
> > +		/* check name_len to prevent from deadloop here */
> > +		if (unlikely(de->name_len == 0)) {
> > +			struct inode *inode = dentry_page->mapping->host;
> > +
> > +			f2fs_msg(inode->i_sb, KERN_ERR,
> > +				"zero-length dir entry, ino = %lu, name = %s",
> > +				(unsigned long)inode->i_ino, name->name);
> > +			break;
> > +		}
> > +
> >  		bit_start = bit_pos
> >  				+ GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
> >  	}
> > --
> > 1.7.9.5
> 
> --
> Jaegeuk Kim

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists