| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Aug 2021 13:22:38 +0300
From: Kari Argillander <kari.argillander@...il.com>
To: Dan Carpenter <dan.carpenter@...cle.com>
Cc: Konstantin Komarov <almaz.alexandrovich@...agon-software.com>,
ntfs3@...ts.linux.dev, linux-kernel@...r.kernel.org,
kernel-janitors@...r.kernel.org
Subject: Re: [PATCH 3/3] fs/ntfs3: Fix error handling in
indx_insert_into_root()
On Tue, Aug 24, 2021 at 10:51:04AM +0300, Dan Carpenter wrote:
> There are three bugs in this code:
> 1) If indx_get_root() fails, then return -EINVAL instead of success.
> 2) On the "/* make root external */" -EOPNOTSUPP; error path it should
> free "re" but it has a memory leak.
> 3) If indx_new() fails then it will lead to an error pointer dereference
> when we call put_indx_node().
>
> I've re-written the error handling to be more clear.
>
> Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
Minor things in comments. With or without they being made:
Reviewed-by: Kari Argillander <kari.argillander@...il.com>
> ---
> fs/ntfs3/index.c | 36 ++++++++++++++++--------------------
> 1 file changed, 16 insertions(+), 20 deletions(-)
>
> diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
> index 489e0fffbc75..4f2d24010386 100644
> --- a/fs/ntfs3/index.c
> +++ b/fs/ntfs3/index.c
> @@ -1554,12 +1554,12 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
int err = 0;
No need to initiliaze err anymore.
> u32 root_size, new_root_size;
> struct ntfs_sb_info *sbi;
> int ds_root;
> - struct INDEX_ROOT *root, *a_root = NULL;
> + struct INDEX_ROOT *root, *a_root;
>
> /* Get the record this root placed in */
> root = indx_get_root(indx, ni, &attr, &mi);
> if (!root)
> - goto out;
> + return -EINVAL;
>
> /*
> * Try easy case:
> @@ -1591,10 +1591,8 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
>
> /* Make a copy of root attribute to restore if error */
> a_root = ntfs_memdup(attr, asize);
> - if (!a_root) {
> - err = -ENOMEM;
> - goto out;
> - }
> + if (!a_root)
> + return -ENOMEM;
a_root could be moved little further but maybe it makes sense to live
here. Not effecting your patch but I wonder if attr should be restored
in more situatations. attr is restored only in one place. But you do
not have to check any of this if not intrested. Just thinking out loud
here.
>
> /* copy all the non-end entries from the index root to the new buffer.*/
> to_move = 0;
> @@ -1604,7 +1602,7 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
> for (e = e0;; e = hdr_next_de(hdr, e)) {
> if (!e) {
> err = -EINVAL;
> - goto out;
> + goto out_free_root;
> }
>
> if (de_is_last(e))
> @@ -1612,14 +1610,13 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
> to_move += le16_to_cpu(e->size);
> }
>
> - n = NULL;
> if (!to_move) {
> re = NULL;
> } else {
> re = ntfs_memdup(e0, to_move);
> if (!re) {
> err = -ENOMEM;
> - goto out;
> + goto out_free_root;
> }
> }
>
> @@ -1636,7 +1633,7 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
> if (ds_root > 0 && used + ds_root > sbi->max_bytes_per_attr) {
> /* make root external */
> err = -EOPNOTSUPP;
> - goto out;
> + goto out_free_re;
> }
>
> if (ds_root)
> @@ -1666,7 +1663,7 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
> /* bug? */
> ntfs_set_state(sbi, NTFS_DIRTY_ERROR);
> err = -EINVAL;
> - goto out1;
> + goto out_free_re;
> }
>
> if (err) {
> @@ -1677,7 +1674,7 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
> /* bug? */
> ntfs_set_state(sbi, NTFS_DIRTY_ERROR);
> }
> - goto out1;
> + goto out_free_re;
> }
>
> e = (struct NTFS_DE *)(root + 1);
> @@ -1688,7 +1685,7 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
> n = indx_new(indx, ni, new_vbn, sub_vbn);
> if (IS_ERR(n)) {
> err = PTR_ERR(n);
> - goto out1;
> + goto out_free_re;
> }
>
> hdr = &n->index->ihdr;
> @@ -1715,7 +1712,7 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
ntfs_free(re);
Take this off
> put_indx_node(n);
and this off
> fnd_clear(fnd);
> err = indx_insert_entry(indx, ni, new_de, ctx, fnd);
> - goto out;
> + goto out_free_root;
and call out_put_n here. Right?
> }
>
> /*
> @@ -1725,7 +1722,7 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
> e = hdr_insert_de(indx, hdr, new_de, NULL, ctx);
> if (!e) {
> err = -EINVAL;
> - goto out1;
> + goto out_put_n;
> }
> fnd_push(fnd, n, e);
>
> @@ -1734,12 +1731,11 @@ static int indx_insert_into_root(struct ntfs_index *indx, struct ntfs_inode *ni,
>
> n = NULL;
>
> -out1:
> +out_put_n:
> + put_indx_node(n);
> +out_free_re:
> ntfs_free(re);
> - if (n)
> - put_indx_node(n);
> -
> -out:
> +out_free_root:
> ntfs_free(a_root);
> return err;
> }
Overall lot cleaner now. Thanks.
> --
> 2.20.1
>
>
Powered by blists - more mailing lists