lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 18 Feb 2019 10:50:31 +0800
From:   Chao Yu <yuchao0@...wei.com>
To:     Gao Xiang <gaoxiang25@...wei.com>
CC:     Al Viro <viro@...IV.linux.org.uk>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        <devel@...verdev.osuosl.org>, LKML <linux-kernel@...r.kernel.org>,
        <linux-erofs@...ts.ozlabs.org>, Chao Yu <chao@...nel.org>,
        Miao Xie <miaoxie@...wei.com>, <weidu.du@...wei.com>,
        "Fang Wei" <fangwei1@...wei.com>, <stable@...r.kernel.org>
Subject: Re: [PATCH v2] staging: erofs: keep corrupted fs from crashing kernel
 in erofs_namei()

Hi Xiang,

On 2019/2/18 10:17, Gao Xiang wrote:
> Hi Chao,
> 
> On 2019/2/18 9:39, Chao Yu wrote:
>> If the image is corrupted, qn->name[i] may be anything, as you commented
>> above DBG_BUGON(), we really don't need to go through any later codes, it
>> can avoid potentially encoutnering wrong condition.
>>
>> * otherwise, it will return 1 to just skip the invalid name
>>
> 
> Just I commented in the following source code, qn is actually the user requested
> name allocated in __d_alloc, which can be guaranteed with the trailing '\0' and
> it is a valid string.

Alright, I agreed below codes can guarantee that. :)

Thanks,

> 
> Thanks,
> Gao Xiang
> 
>>>>> +
>>>>> +	/* qd could not have trailing '\0' */
>>>>> +	/* However it is absolutely safe if < qd->end */
>>>>> +	while (qd->name + i < qd->end && qd->name[i] != '\0') {
>>>>> +		if (qn->name[i] != qd->name[i]) {
>>>>> +			*matched = i;
>>>>> +			return qn->name[i] > qd->name[i] ? 1 : -1;
>>>>>  		}
>>>>> -		return (qn->len > qd->len);
>>>>> +		++i;
>>>>>  	}
>>>>> -
>>>>> -	if (qn->name[i] != qd->name[i]) {
>>>>> -		*matched = i;
>>>>> -		return qn->name[i] > qd->name[i] ? 1 : -1;
>>>>> -	}
>>>>> -
>>>>> -	++i;
>>>>> -	goto loop;
>>>>> +	*matched = i;
>>>>> +	/* See comments in __d_alloc on the terminating NUL character */
>>>>> +	return qn->name[i] == '\0' ? 0 : 1;
>>>>>  }
> 
> .
> 

Powered by blists - more mailing lists