lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 29 May 2020 11:38:09 +0800
From:   Zhe Li <lizhe67@...wei.com>
To:     <dwmw2@...radead.org>, <linux-mtd@...ts.infradead.org>,
        <linux-kernel@...r.kernel.org>
Subject: [PATCH] jffs2: fix nothing output for "ls" command

Recently I find a bug that I get nothing with shell
command "ls". The test steps are listed below.
1. cd $JFFS2_MOUNT_DIR
2. touch file
3. ls

Finally I find that when command "ls" going into
function jffs2_readdir(), it get non-zero return
value from function dir_emit(). So I get nothing
from "ls", absolutely.

After checking my file system image, I find a raw
dirent node with nsize = 0. The full_scan mounting
process do not check nsize and the return value
of strnlen(rd->name, rd->nsize) carefully, which
causes function jffs2_readdir pass 0 to parameter
namelen of function dir_emit when we use command
"ls".

Of course it should never happened to find a raw
dirent with nsize = 0. In my opinion, this abnormal
phenomenon maybe cause by bad driver or bad medium.
But for rebustness reason, jffs2 should handle it.

This patch add codes to check the nsize and the
return value of strnlen(rd->name, rd->nsize). If
abnormal node is found, use function jffs2_scan_dirty_space
to deal with it.

Signed-off-by: Zhe Li <lizhe67@...wei.com>
---
 fs/jffs2/scan.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/fs/jffs2/scan.c b/fs/jffs2/scan.c
index 5f7e284..ff37d92 100644
--- a/fs/jffs2/scan.c
+++ b/fs/jffs2/scan.c
@@ -1065,8 +1065,21 @@ static int jffs2_scan_dirent_node(struct jffs2_sb_info *c, struct jffs2_eraseblo
 
 	pseudo_random += je32_to_cpu(rd->version);
 
+	if (rd->nsize == 0) {
+		pr_err("%s(): Node nsize is zero at 0x%08x\n", __func__, ofs);
+		if ((err = jffs2_scan_dirty_space(c, jeb, PAD(je32_to_cpu(rd->totlen)))))
+			return err;
+		return 0;
+	}
+
 	/* Should never happen. Did. (OLPC trac #4184)*/
 	checkedlen = strnlen(rd->name, rd->nsize);
+	if (checkedlen == 0) {
+		pr_err("Dirent at %08x get zero checkedlen\n", ofs);
+		if ((err = jffs2_scan_dirty_space(c, jeb, PAD(je32_to_cpu(rd->totlen)))))
+			return err;
+		return 0;
+	}
 	if (checkedlen < rd->nsize) {
 		pr_err("Dirent at %08x has zeroes in name. Truncating to %d chars\n",
 		       ofs, checkedlen);
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ