lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 13 Aug 2020 00:04:51 +0900
From:   Tetsuhiro Kohada <kohada.t2@...il.com>
To:     Namjae Jeon <namjae.jeon@...sung.com>
Cc:     kohada.tetsuhiro@...mitsubishielectric.co.jp,
        mori.takahiro@...mitsubishielectric.co.jp,
        motai.hirotaka@...mitsubishielectric.co.jp,
        'Sungjong Seo' <sj1557.seo@...sung.com>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] exfat: add NameLength check when extracting name

Thank you for your reply.

>> -static void exfat_get_uniname_from_ext_entry(struct super_block *sb,
>> -		struct exfat_chain *p_dir, int entry, unsigned short *uniname)
>> +static int exfat_get_uniname_from_name_entries(struct exfat_entry_set_cache *es,
>> +		struct exfat_uni_name *uniname)
>>   {
>> -	int i;
>> -	struct exfat_entry_set_cache *es;
>> +	int n, l, i;
>>   	struct exfat_dentry *ep;
>>
>> -	es = exfat_get_dentry_set(sb, p_dir, entry, ES_ALL_ENTRIES);
>> -	if (!es)
>> -		return;
>> +	uniname->name_len = es->de_stream->name_len;
>> +	if (uniname->name_len == 0)
>> +		return -EIO;
> Can we validate ->name_len and name entry ->type in exfat_get_dentry_set() ?

Yes.
As I wrote in a previous email, entry type validation, name-length validation, and name
extraction should not be separated, so implement all of these in exfat_get_dentry_set().
It can be easily implemented by adding uniname to exfat_entry_set_cache and calling
exfat_get_uniname_from_name_entries() from exfat_get_dentry_set().

However, that would be over-implementation.
Not all callers of exfat_get_dentry_set() need a name.
It is enough to validate the name when it is needed.
This is a file-system driver, not fsck.
Validation is possible in exfat_get_dentry_set(), but unnecessary.

Why do you want to validate the name in exfat_get_dentry_set()?


BR
---
Tetsuhiro Kohada <kohada.t2@...il.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ