lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 18 Feb 2019 09:39:14 +0800
From:   Chao Yu <yuchao0@...wei.com>
To:     Gao Xiang <gaoxiang25@...wei.com>
CC:     Al Viro <viro@...IV.linux.org.uk>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        <devel@...verdev.osuosl.org>, LKML <linux-kernel@...r.kernel.org>,
        <linux-erofs@...ts.ozlabs.org>, Chao Yu <chao@...nel.org>,
        Miao Xie <miaoxie@...wei.com>, <weidu.du@...wei.com>,
        "Fang Wei" <fangwei1@...wei.com>, <stable@...r.kernel.org>
Subject: Re: [PATCH v2] staging: erofs: keep corrupted fs from crashing kernel
 in erofs_namei()

Hi xiang,

On 2019/2/15 16:58, Gao Xiang wrote:
> Hi Chao,
> 
> On 2019/2/15 15:02, Chao Yu wrote:
>> On 2019/2/1 20:16, Gao Xiang wrote:
>>> As Al pointed out, "
>>> ... and while we are at it, what happens to
>>> 	unsigned int nameoff = le16_to_cpu(de[mid].nameoff);
>>> 	unsigned int matched = min(startprfx, endprfx);
>>>
>>> 	struct qstr dname = QSTR_INIT(data + nameoff,
>>> 		unlikely(mid >= ndirents - 1) ?
>>> 			maxsize - nameoff :
>>> 			le16_to_cpu(de[mid + 1].nameoff) - nameoff);
>>>
>>> 	/* string comparison without already matched prefix */
>>> 	int ret = dirnamecmp(name, &dname, &matched);
>>> if le16_to_cpu(de[...].nameoff) is not monotonically increasing?  I.e.
>>> what's to prevent e.g. (unsigned)-1 ending up in dname.len?
>>>
>>> Corrupted fs image shouldn't oops the kernel.. "
>>>
>>> Revisit the related lookup flow to address the issue.
>>>
>>> Fixes: d72d1ce60174 ("staging: erofs: add namei functions")
>>> Cc: <stable@...r.kernel.org> # 4.19+
>>> Suggested-by: Al Viro <viro@...IV.linux.org.uk>
>>> Signed-off-by: Gao Xiang <gaoxiang25@...wei.com>
>>> ---
>>> [ It should be better get reviewed first and for linux-next... ]
>>>
>>> change log v2:
>>>  - fix the missing "kunmap_atomic" pointed out by Dan;
>>>  - minor cleanup;
>>>
>>>  drivers/staging/erofs/namei.c | 187 ++++++++++++++++++++++--------------------
>>>  1 file changed, 99 insertions(+), 88 deletions(-)
>>>
>>> diff --git a/drivers/staging/erofs/namei.c b/drivers/staging/erofs/namei.c
>>> index 5596c52e246d..321c881d720f 100644
>>> --- a/drivers/staging/erofs/namei.c
>>> +++ b/drivers/staging/erofs/namei.c
>>> @@ -15,74 +15,77 @@
>>>  
>>>  #include <trace/events/erofs.h>
>>>  
>>> -/* based on the value of qn->len is accurate */
>>> -static inline int dirnamecmp(struct qstr *qn,
>>> -	struct qstr *qd, unsigned int *matched)
>>> +struct erofs_qstr {
>>> +	const unsigned char *name;
>>> +	const unsigned char *end;
>>> +};
>>> +
>>> +/* based on the end of qn is accurate and it must have the trailing '\0' */
>>> +static inline int dirnamecmp(const struct erofs_qstr *qn,
>>> +			     const struct erofs_qstr *qd,
>>> +			     unsigned int *matched)
>>>  {
>>> -	unsigned int i = *matched, len = min(qn->len, qd->len);
>>> -loop:
>>> -	if (unlikely(i >= len)) {
>>> -		*matched = i;
>>> -		if (qn->len < qd->len) {
>>> -			/*
>>> -			 * actually (qn->len == qd->len)
>>> -			 * when qd->name[i] == '\0'
>>> -			 */
>>> -			return qd->name[i] == '\0' ? 0 : -1;
>>> +	unsigned int i = *matched;
>>> +
>>> +	/*
>>> +	 * on-disk error, let's only BUG_ON in the debugging mode.
>>> +	 * otherwise, it will return 1 to just skip the invalid name
>>> +	 * and go on (in consideration of the lookup performance).
>>> +	 */
>>> +	DBG_BUGON(qd->name > qd->end);
>>
>> qd->name == qd->end is not allowed as well?
> 
> Make sense, it is only used for debugging mode, let me send another patch later...
> 
>>
>> So will it be better to return directly here?
>>
>> 	if (unlikely(qd->name >= qd->end)) {
>> 		DBG_BUGON(1);
>> 		return 1;
>> 	}
> 
> Corrupted image is rare happened in normal systems, I tend to only use
> DBG_BUGON here, and  qn->name[i] is of course not '\0', so it will return 1;

If the image is corrupted, qn->name[i] may be anything, as you commented
above DBG_BUGON(), we really don't need to go through any later codes, it
can avoid potentially encoutnering wrong condition.

* otherwise, it will return 1 to just skip the invalid name

> 
>>
>>> +
>>> +	/* qd could not have trailing '\0' */
>>> +	/* However it is absolutely safe if < qd->end */
>>> +	while (qd->name + i < qd->end && qd->name[i] != '\0') {
>>> +		if (qn->name[i] != qd->name[i]) {
>>> +			*matched = i;
>>> +			return qn->name[i] > qd->name[i] ? 1 : -1;
>>>  		}
>>> -		return (qn->len > qd->len);
>>> +		++i;
>>>  	}
>>> -
>>> -	if (qn->name[i] != qd->name[i]) {
>>> -		*matched = i;
>>> -		return qn->name[i] > qd->name[i] ? 1 : -1;
>>> -	}
>>> -
>>> -	++i;
>>> -	goto loop;
>>> +	*matched = i;
>>> +	/* See comments in __d_alloc on the terminating NUL character */
>>> +	return qn->name[i] == '\0' ? 0 : 1;
>>>  }
>>>  
>>> -static struct erofs_dirent *find_target_dirent(
>>> -	struct qstr *name,
>>> -	u8 *data, int maxsize)
>>> +#define nameoff_from_disk(off, sz)	(le16_to_cpu(off) & ((sz) - 1))
>>> +
>>> +static struct erofs_dirent *find_target_dirent(struct erofs_qstr *name,
>>> +					       u8 *data,
>>> +					       unsigned int dirblksize,
>>> +					       const int ndirents)
>>>  {
>>> -	unsigned int ndirents, head, back;
>>> +	int head, back;
>>>  	unsigned int startprfx, endprfx;
>>>  	struct erofs_dirent *const de = (struct erofs_dirent *)data;
>>>  
>>> -	/* make sure that maxsize is valid */
>>> -	BUG_ON(maxsize < sizeof(struct erofs_dirent));
>>> -
>>> -	ndirents = le16_to_cpu(de->nameoff) / sizeof(*de);
>>> -
>>> -	/* corrupted dir (may be unnecessary...) */
>>> -	BUG_ON(!ndirents);
>>> -
>>> -	head = 0;
>>> +	/* since the 1st dirent has been evaluated previously */
>>> +	head = 1;
>>>  	back = ndirents - 1;
>>>  	startprfx = endprfx = 0;
>>>  
>>>  	while (head <= back) {
>>> -		unsigned int mid = head + (back - head) / 2;
>>> -		unsigned int nameoff = le16_to_cpu(de[mid].nameoff);
>>> +		const int mid = head + (back - head) / 2;
>>> +		const int nameoff = nameoff_from_disk(de[mid].nameoff,
>>> +						      dirblksize);
>>>  		unsigned int matched = min(startprfx, endprfx);
>>> -
>>> -		struct qstr dname = QSTR_INIT(data + nameoff,
>>> -			unlikely(mid >= ndirents - 1) ?
>>> -				maxsize - nameoff :
>>> -				le16_to_cpu(de[mid + 1].nameoff) - nameoff);
>>> +		struct erofs_qstr dname = {
>>> +			.name = data + nameoff,
>>> +			.end = unlikely(mid >= ndirents - 1) ?
>>> +				data + dirblksize :
>>> +				data + nameoff_from_disk(de[mid + 1].nameoff,
>>> +							 dirblksize)
>>> +		};
>>>  
>>>  		/* string comparison without already matched prefix */
>>>  		int ret = dirnamecmp(name, &dname, &matched);
>>>  
>>> -		if (unlikely(!ret))
>>> +		if (unlikely(!ret)) {
>>>  			return de + mid;
>>> -		else if (ret > 0) {
>>> +		} else if (ret > 0) {
>>>  			head = mid + 1;
>>>  			startprfx = matched;
>>> -		} else if (unlikely(mid < 1))	/* fix "mid" overflow */
>>> -			break;
>>> -		else {
>>> +		} else {
>>>  			back = mid - 1;
>>>  			endprfx = matched;
>>>  		}
>>> @@ -91,12 +94,12 @@ static struct erofs_dirent *find_target_dirent(
>>>  	return ERR_PTR(-ENOENT);
>>>  }
>>>  
>>> -static struct page *find_target_block_classic(
>>> -	struct inode *dir,
>>> -	struct qstr *name, int *_diff)
>>> +static struct page *find_target_block_classic(struct inode *dir,
>>> +					      struct erofs_qstr *name,
>>> +					      int *_ndirents)
>>>  {
>>>  	unsigned int startprfx, endprfx;
>>> -	unsigned int head, back;
>>> +	int head, back;
>>>  	struct address_space *const mapping = dir->i_mapping;
>>>  	struct page *candidate = ERR_PTR(-ENOENT);
>>>  
>>> @@ -105,41 +108,43 @@ static struct page *find_target_block_classic(
>>>  	back = inode_datablocks(dir) - 1;
>>>  
>>>  	while (head <= back) {
>>> -		unsigned int mid = head + (back - head) / 2;
>>> +		const int mid = head + (back - head) / 2;
>>>  		struct page *page = read_mapping_page(mapping, mid, NULL);
>>>  
>>> -		if (IS_ERR(page)) {
>>> -exact_out:
>>> -			if (!IS_ERR(candidate)) /* valid candidate */
>>> -				put_page(candidate);
>>> -			return page;
>>> -		} else {
>>> -			int diff;
>>> -			unsigned int ndirents, matched;
>>> -			struct qstr dname;
>>> +		if (!IS_ERR(page)) {
>>>  			struct erofs_dirent *de = kmap_atomic(page);
>>> -			unsigned int nameoff = le16_to_cpu(de->nameoff);
>>> -
>>> -			ndirents = nameoff / sizeof(*de);
>>> +			const int nameoff = nameoff_from_disk(de->nameoff,
>>> +							      EROFS_BLKSIZ);
>>> +			const int ndirents = nameoff / sizeof(*de);
>>> +			int diff;
>>> +			unsigned int matched;
>>> +			struct erofs_qstr dname;
>>>  
>>> -			/* corrupted dir (should have one entry at least) */
>>> -			BUG_ON(!ndirents || nameoff > PAGE_SIZE);
>>> +			if (unlikely(!ndirents)) {
>>> +				DBG_BUGON(1);
>>> +				kunmap_atomic(de);
>>> +				put_page(page);
>>> +				page = ERR_PTR(-EIO);
>>> +				goto out;
>>> +			}
>>>  
>>>  			matched = min(startprfx, endprfx);
>>>  
>>>  			dname.name = (u8 *)de + nameoff;
>>> -			dname.len = ndirents == 1 ?
>>> -				/* since the rest of the last page is 0 */
>>> -				EROFS_BLKSIZ - nameoff
>>> -				: le16_to_cpu(de[1].nameoff) - nameoff;
>>> +			if (ndirents == 1)
>>> +				dname.end = (u8 *)de + EROFS_BLKSIZ;
>>> +			else
>>> +				dname.end = (u8 *)de +
>>> +					nameoff_from_disk(de[1].nameoff,
>>> +							  EROFS_BLKSIZ);
>>>  
>>>  			/* string comparison without already matched prefix */
>>>  			diff = dirnamecmp(name, &dname, &matched);
>>>  			kunmap_atomic(de);
>>>  
>>>  			if (unlikely(!diff)) {
>>> -				*_diff = 0;
>>> -				goto exact_out;
>>> +				*_ndirents = 0;
>>> +				goto out;
>>>  			} else if (diff > 0) {
>>>  				head = mid + 1;
>>>  				startprfx = matched;
>>> @@ -147,47 +152,53 @@ static struct page *find_target_block_classic(
>>>  				if (likely(!IS_ERR(candidate)))
>>>  					put_page(candidate);
>>>  				candidate = page;
>>> +				*_ndirents = ndirents;
>>>  			} else {
>>>  				put_page(page);
>>>  
>>> -				if (unlikely(mid < 1))	/* fix "mid" overflow */
>>> -					break;
>>> -
>>>  				back = mid - 1;
>>>  				endprfx = matched;
>>>  			}
>>> +			continue;
>>>  		}
>>> +out:		/* free if the candidate is valid */
>>> +		if (!IS_ERR(candidate))
>>> +			put_page(candidate);
>>> +		return page;
>>>  	}
>>> -	*_diff = 1;
>>>  	return candidate;
>>>  }
>>>  
>>>  int erofs_namei(struct inode *dir,
>>> -	struct qstr *name,
>>> -	erofs_nid_t *nid, unsigned int *d_type)
>>> +		struct qstr *name,
>>> +		erofs_nid_t *nid, unsigned int *d_type)
>>>  {
>>> -	int diff;
>>> +	int ndirents;
>>>  	struct page *page;
>>> -	u8 *data;
>>> +	void *data;
>>>  	struct erofs_dirent *de;
>>> +	struct erofs_qstr qn;
>>>  
>>>  	if (unlikely(!dir->i_size))
>>>  		return -ENOENT;
>>>  
>>> -	diff = 1;
>>> -	page = find_target_block_classic(dir, name, &diff);
>>> +	qn.name = name->name;
>>> +	qn.end = name->name + name->len;
>>> +
>>> +	ndirents = 0;
>>> +	page = find_target_block_classic(dir, &qn, &ndirents);
>>>  
>>> -	if (unlikely(IS_ERR(page)))
>>> +	if (IS_ERR(page))
>>>  		return PTR_ERR(page);
>>>  
>>>  	data = kmap_atomic(page);
>>>  	/* the target page has been mapped */
>>> -	de = likely(diff) ?
>>> -		/* since the rest of the last page is 0 */
>>> -		find_target_dirent(name, data, EROFS_BLKSIZ) :
>>> -		(struct erofs_dirent *)data;
>>> +	if (ndirents)
>>> +		de = find_target_dirent(&qn, data, EROFS_BLKSIZ, ndirents);
>>
>> If we want to support different blksize during dirent lookup, how about
>> adding parameter for find_target_block_classic() as find_target_dirent()?
> 
> Yes, you are right. However, find_target_dirent is now totally designed in page unit
> because of get_meta_page usage, but find_target_dirent doesn't.
> 
> I think if we support sub-page feature later (by using iomap or someelse), it
> could be added later.

No problem, it's not a big deal. :)

Thanks,

> 
> Thanks,
> Gao Xiang
> 
> 
>>
>> Thanks,
>>
>>> +	else
>>> +		de = (struct erofs_dirent *)data;
>>>  
>>> -	if (likely(!IS_ERR(de))) {
>>> +	if (!IS_ERR(de)) {
>>>  		*nid = le64_to_cpu(de->nid);
>>>  		*d_type = de->file_type;
>>>  	}
>>>
>>
> 
> .
> 

Powered by blists - more mailing lists