lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <dd284020-77b0-1627-2fc2-bc51745adfd3@huawei.com>
Date:   Tue, 6 Aug 2019 09:10:58 +0800
From:   Chao Yu <yuchao0@...wei.com>
To:     Jaegeuk Kim <jaegeuk@...nel.org>
CC:     <linux-f2fs-devel@...ts.sourceforge.net>,
        <linux-kernel@...r.kernel.org>, <chao@...nel.org>
Subject: Re: [PATCH] Revert "f2fs: avoid out-of-range memory access"

On 2019/8/6 8:42, Jaegeuk Kim wrote:
> On 08/02, Chao Yu wrote:
>> As Pavel Machek reported:
>>
>> "We normally use -EUCLEAN to signal filesystem corruption. Plus, it is
>> good idea to report it to the syslog and mark filesystem as "needing
>> fsck" if filesystem can do that."
>>
>> Still we need improve the original patch with:
>> - use unlikely keyword
>> - add message print
>> - return EUCLEAN
>>
>> However, after rethink this patch, I don't think we should add such
>> condition check here as below reasons:
>> - We have already checked the field in f2fs_sanity_check_ckpt(),
>> - If there is fs corrupt or security vulnerability, there is nothing
>> to guarantee the field is integrated after the check, unless we do
>> the check before each of its use, however no filesystem does that.
>> - We only have similar check for bitmap, which was added due to there
>> is bitmap corruption happened on f2fs' runtime in product.
>> - There are so many key fields in SB/CP/NAT did have such check
>> after f2fs_sanity_check_{sb,cp,..}.
>>
>> So I propose to revert this unneeded check.
> 
> IIRC, this came from security vulnerability report which can access

I don't think that's correct report, since we have checked validation of that
field during mount, if it can be ruined after that, any variables can't be trusted.

Now we just check bitmaps at real-time, because we have encountered such bitmap
corruption in product.

Thanks,

> out-of-boundary memory region. Could you write another patch to address the
> above issues?
> 
>>
>> This reverts commit 56f3ce675103e3fb9e631cfb4131fc768bc23e9a.
>>
>> Signed-off-by: Chao Yu <yuchao0@...wei.com>
>> ---
>>  fs/f2fs/segment.c | 5 -----
>>  1 file changed, 5 deletions(-)
>>
>> diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
>> index 9693fa4c8971..2eff9c008ae0 100644
>> --- a/fs/f2fs/segment.c
>> +++ b/fs/f2fs/segment.c
>> @@ -3492,11 +3492,6 @@ static int read_compacted_summaries(struct f2fs_sb_info *sbi)
>>  		seg_i = CURSEG_I(sbi, i);
>>  		segno = le32_to_cpu(ckpt->cur_data_segno[i]);
>>  		blk_off = le16_to_cpu(ckpt->cur_data_blkoff[i]);
>> -		if (blk_off > ENTRIES_IN_SUM) {
>> -			f2fs_bug_on(sbi, 1);
>> -			f2fs_put_page(page, 1);
>> -			return -EFAULT;
>> -		}
>>  		seg_i->next_segno = segno;
>>  		reset_curseg(sbi, i, 0);
>>  		seg_i->alloc_type = ckpt->alloc_type[i];
>> -- 
>> 2.18.0.rc1
> .
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ