lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20210824163851.hfbjqqpztgk4ngd5@kari-VirtualBox>
Date:   Tue, 24 Aug 2021 19:38:51 +0300
From:   Kari Argillander <kari.argillander@...il.com>
To:     Dan Carpenter <dan.carpenter@...cle.com>
Cc:     Konstantin Komarov <almaz.alexandrovich@...agon-software.com>,
        ntfs3@...ts.linux.dev, linux-kernel@...r.kernel.org,
        kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] fs/ntfs3: fix an error code in ntfs_get_acl_ex()

On Tue, Aug 24, 2021 at 02:48:58PM +0300, Dan Carpenter wrote:
> The ntfs_get_ea() function returns negative error codes or on success

Not reletad to this patch but ntfs_get_wsl_perm() seems quite bug
because in there ntfs_get_ea use is not checked at all.

Also ntfs_getxattr() should probably send errno if ntfs_get_ea() is 0.

> it returns the length.  In the original code a zero length return was
> treated as -ENODATA and results in a NULL return.  But it should be
> treated as an invalid length and result in an PTR_ERR(-EINVAL) return.
> 
> Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations")
> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> 
> I'm not super familiar with this code.  Please review this one
> extra carefully.  I think it's theoretical because hopefully
> ntfs_get_ea() doesn't ever return invalid lengths.

ntfs_get_ea() will return 0 if no info and this can happend quite
easily in my eyes. 

Here's snippets

ntfs_read_ea()
{
	attr_info =
		ni_find_attr(ni, NULL, &le, ATTR_EA_INFO, NULL, 0, NULL, NULL);
	attr_ea =
		ni_find_attr(ni, attr_info, &le, ATTR_EA, NULL, 0, NULL, NULL);

	if (!attr_ea || !attr_info)
		return 0;	
}

ntfs_get_ea()
{
	len = 0;
	err = ntfs_read_ea(ni, &ea_all, 0, &info);
	if (err)
		goto out;
	if (!info)
		goto out;
out:
	return err ? err : len;
}

> 
>  fs/ntfs3/xattr.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
> index 9239c388050e..e8ed38d0c4c9 100644
> --- a/fs/ntfs3/xattr.c
> +++ b/fs/ntfs3/xattr.c
> @@ -521,7 +521,7 @@ static struct posix_acl *ntfs_get_acl_ex(struct user_namespace *mnt_userns,
>  		ni_unlock(ni);
>  
>  	/* Translate extended attribute to acl */
> -	if (err > 0) {
> +	if (err >= 0) {

So now if err (size) is 0 it will try to get acl. Didn't you just say
that you want to return PTR_ERR(-EINVAL)?

So overall good finding but maybe more work is needed with this one.

>  		acl = posix_acl_from_xattr(mnt_userns, buf, err);
>  		if (!IS_ERR(acl))
>  			set_cached_acl(inode, type, acl);
> -- 
> 2.20.1
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ