| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <56f03bdf-1817-6b3e-44d5-922637ac39f4@huawei.com>
Date: Mon, 18 Feb 2019 10:17:28 +0800
From: Gao Xiang <gaoxiang25@...wei.com>
To: Chao Yu <yuchao0@...wei.com>
CC: Al Viro <viro@...IV.linux.org.uk>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
<devel@...verdev.osuosl.org>, LKML <linux-kernel@...r.kernel.org>,
<linux-erofs@...ts.ozlabs.org>, Chao Yu <chao@...nel.org>,
Miao Xie <miaoxie@...wei.com>, <weidu.du@...wei.com>,
"Fang Wei" <fangwei1@...wei.com>, <stable@...r.kernel.org>
Subject: Re: [PATCH v2] staging: erofs: keep corrupted fs from crashing kernel
in erofs_namei()
Hi Chao,
On 2019/2/18 9:39, Chao Yu wrote:
> If the image is corrupted, qn->name[i] may be anything, as you commented
> above DBG_BUGON(), we really don't need to go through any later codes, it
> can avoid potentially encoutnering wrong condition.
>
> * otherwise, it will return 1 to just skip the invalid name
>
Just I commented in the following source code, qn is actually the user requested
name allocated in __d_alloc, which can be guaranteed with the trailing '\0' and
it is a valid string.
Thanks,
Gao Xiang
>>>> +
>>>> + /* qd could not have trailing '\0' */
>>>> + /* However it is absolutely safe if < qd->end */
>>>> + while (qd->name + i < qd->end && qd->name[i] != '\0') {
>>>> + if (qn->name[i] != qd->name[i]) {
>>>> + *matched = i;
>>>> + return qn->name[i] > qd->name[i] ? 1 : -1;
>>>> }
>>>> - return (qn->len > qd->len);
>>>> + ++i;
>>>> }
>>>> -
>>>> - if (qn->name[i] != qd->name[i]) {
>>>> - *matched = i;
>>>> - return qn->name[i] > qd->name[i] ? 1 : -1;
>>>> - }
>>>> -
>>>> - ++i;
>>>> - goto loop;
>>>> + *matched = i;
>>>> + /* See comments in __d_alloc on the terminating NUL character */
>>>> + return qn->name[i] == '\0' ? 0 : 1;
>>>> }
Powered by blists - more mailing lists