lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 26 Aug 2020 11:56:22 +0900 From: Tetsuhiro Kohada <kohada.t2@...il.com> To: Namjae Jeon <namjae.jeon@...sung.com> Cc: kohada.tetsuhiro@...mitsubishielectric.co.jp, mori.takahiro@...mitsubishielectric.co.jp, motai.hirotaka@...mitsubishielectric.co.jp, 'Sungjong Seo' <sj1557.seo@...sung.com>, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v3] exfat: integrates dir-entry getting and validation On 2020/08/26 10:03, Namjae Jeon wrote: >> Second: Range validation and type validation should not be separated. >> When I started making this patch, I intended to add only range validation. >> However, after the caller gets the ep, the type validation follows. >> Get ep, null check of ep (= range verification), type verification is a series of procedures. >> There would be no reason to keep them independent anymore. >> Range and type validation is enforced when the caller uses ep. > You can add a validate flags as argument of exfat_get_dentry_set(), e.g. none, basic and strict. > none : only range validation. > basic : range + type validation. > strict : range + type + checksum and name length, etc. Currently, various types of verification will not be needed. Let's add it when we need it. > >>> - /* validiate cached dentries */ >>> - for (i = 1; i < num_entries; i++) { >>> - ep = exfat_get_dentry_cached(es, i); >>> - if (!exfat_validate_entry(exfat_get_entry_type(ep), &mode)) >>> + ep = exfat_get_dentry_cached(es, ENTRY_STREAM); >>> + if (!ep || ep->type != EXFAT_STREAM) >>> + goto free_es; >>> + es->de[ENTRY_STREAM] = ep; >> >> The value contained in stream-ext dir-entry should not be used before validating the EntrySet checksum. >> So I would insert EntrySet checksum validation here. >> In that case, the checksum verification loop would be followed by the TYPE_NAME verification loop, can >> you acceptable? > Yes. That would be great. OK. I'll add TYPE_NAME verification after checksum verification, in next patch. However, I think it is enough to validate TYPE_NAME when extracting name. Could you please tell me why you think you need TYPE_NAME validation here? BR --- Tetsuhiro Kohada <kohada.t2@...il.com> >
Powered by blists - more mailing lists