| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2e8f710c-574e-6634-f412-c45337474190@huawei.com>
Date: Mon, 18 Feb 2019 10:50:31 +0800
From: Chao Yu <yuchao0@...wei.com>
To: Gao Xiang <gaoxiang25@...wei.com>
CC: Al Viro <viro@...IV.linux.org.uk>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
<devel@...verdev.osuosl.org>, LKML <linux-kernel@...r.kernel.org>,
<linux-erofs@...ts.ozlabs.org>, Chao Yu <chao@...nel.org>,
Miao Xie <miaoxie@...wei.com>, <weidu.du@...wei.com>,
"Fang Wei" <fangwei1@...wei.com>, <stable@...r.kernel.org>
Subject: Re: [PATCH v2] staging: erofs: keep corrupted fs from crashing kernel
in erofs_namei()
Hi Xiang,
On 2019/2/18 10:17, Gao Xiang wrote:
> Hi Chao,
>
> On 2019/2/18 9:39, Chao Yu wrote:
>> If the image is corrupted, qn->name[i] may be anything, as you commented
>> above DBG_BUGON(), we really don't need to go through any later codes, it
>> can avoid potentially encoutnering wrong condition.
>>
>> * otherwise, it will return 1 to just skip the invalid name
>>
>
> Just I commented in the following source code, qn is actually the user requested
> name allocated in __d_alloc, which can be guaranteed with the trailing '\0' and
> it is a valid string.
Alright, I agreed below codes can guarantee that. :)
Thanks,
>
> Thanks,
> Gao Xiang
>
>>>>> +
>>>>> + /* qd could not have trailing '\0' */
>>>>> + /* However it is absolutely safe if < qd->end */
>>>>> + while (qd->name + i < qd->end && qd->name[i] != '\0') {
>>>>> + if (qn->name[i] != qd->name[i]) {
>>>>> + *matched = i;
>>>>> + return qn->name[i] > qd->name[i] ? 1 : -1;
>>>>> }
>>>>> - return (qn->len > qd->len);
>>>>> + ++i;
>>>>> }
>>>>> -
>>>>> - if (qn->name[i] != qd->name[i]) {
>>>>> - *matched = i;
>>>>> - return qn->name[i] > qd->name[i] ? 1 : -1;
>>>>> - }
>>>>> -
>>>>> - ++i;
>>>>> - goto loop;
>>>>> + *matched = i;
>>>>> + /* See comments in __d_alloc on the terminating NUL character */
>>>>> + return qn->name[i] == '\0' ? 0 : 1;
>>>>> }
>
> .
>
Powered by blists - more mailing lists