lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 25 Mar 2019 17:42:11 +0100
From:   Jan Kara <jack@...e.cz>
To:     Steve Magnani <steve.magnani@...idescorp.com>
Cc:     Jan Kara <jack@...e.cz>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        linux-fsdevel@...r.kernel.org
Subject: Re: Possible UDF locking error?

Hi!

On Sat 23-03-19 15:14:05, Steve Magnani wrote:
> I have been hunting a UDF bug that occasionally results in generation
> of an Allocation Extent Descriptor with an incorrect tagLocation. So
> far I haven't been able to see a path through the code that could
> cause that. But, I noticed some inconsistency in locking during
> AED generation and wonder if it could result in random corruption.
> 
> The function udf_update_inode() has this general pattern:
> 
>   bh = udf_tgetblk(...);   // calls sb_getblk()
>   lock_buffer(bh);
>   memset(bh->b_data, 0, inode->i_sb->s_blocksize);
>   // <snip>other code to populate FE/EFE data in the block</snip>
>   set_buffer_uptodate(bh);
>   unlock_buffer(bh);
>   mark_buffer_dirty(bh);
> 
> This I can understand - the lock is held for as long as the buffer
> contents are being assembled.
> 
> In contrast, udf_setup_indirect_aext(), which constructs an AED,
> has this sequence:
> 
>   bh = udf_tgetblk(...);   // calls sb_getblk()
>   lock_buffer(bh);
>   memset(bh->b_data, 0, inode->i_sb->s_blocksize);
> 
>   set_buffer_uptodate(bh);
>   unlock_buffer(bh);
>   mark_buffer_dirty_inode(bh);
> 
>   // <snip>other code to populate AED data in the block</snip>
> 
> In this case the population of the block occurs without
> the protection of the lock.
> 
> Because the block has been marked dirty, does this mean that
> writeback could occur at any point during population?

Yes. Thanks for noticing this!

> There is one path through udf_setup_indirect_aext() where
> mark_buffer_dirty_inode() gets called again after population is
> complete, which I suppose could heal a partial writeout, but there is
> also another path in which the buffer does not get marked dirty again.

Generally, we add new extents to the created indirect extent which dirties
the buffer and that should fix the problem. But you are definitely right
that the code is suspicious and should be fixed. Will you send a patch?

								Honza
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ