lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1r00qtxj.fsf@damenly.su>
Date:   Fri, 18 Feb 2022 19:25:20 +0800
From:   Su Yue <l@...enly.su>
To:     Greg KH <greg@...ah.com>
Cc:     Sasha Levin <sashal@...nel.org>, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org, David Sterba <dsterba@...e.com>,
        clm@...com, josef@...icpanda.com, linux-btrfs@...r.kernel.org
Subject: Re: [PATCH AUTOSEL 5.10 16/27] btrfs: tree-checker: check item_size
 for dev_item


On Fri 18 Feb 2022 at 11:36, Greg KH <greg@...ah.com> wrote:

> On Wed, Feb 09, 2022 at 01:40:52PM -0500, Sasha Levin wrote:
>> From: Su Yue <l@...enly.su>
>>
>> [ Upstream commit ea1d1ca4025ac6c075709f549f9aa036b5b6597d ]
>>
>> Check item size before accessing the device item to avoid out 
>> of bound
>> access, similar to inode_item check.
>>
>> Signed-off-by: Su Yue <l@...enly.su>
>> Reviewed-by: David Sterba <dsterba@...e.com>
>> Signed-off-by: David Sterba <dsterba@...e.com>
>> Signed-off-by: Sasha Levin <sashal@...nel.org>
>> ---
>>  fs/btrfs/tree-checker.c | 8 ++++++++
>>  1 file changed, 8 insertions(+)
>>
>> diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
>> index d4a3a56726aa8..4a5ee516845f7 100644
>> --- a/fs/btrfs/tree-checker.c
>> +++ b/fs/btrfs/tree-checker.c
>> @@ -947,6 +947,7 @@ static int check_dev_item(struct 
>> extent_buffer *leaf,
>>  			  struct btrfs_key *key, int slot)
>>  {
>>  	struct btrfs_dev_item *ditem;
>> +	const u32 item_size = btrfs_item_size(leaf, slot);
>>
>>  	if (key->objectid != BTRFS_DEV_ITEMS_OBJECTID) {
>>  		dev_item_err(leaf, slot,
>> @@ -954,6 +955,13 @@ static int check_dev_item(struct 
>> extent_buffer *leaf,
>>  			     key->objectid, 
>>  BTRFS_DEV_ITEMS_OBJECTID);
>>  		return -EUCLEAN;
>>  	}
>> +
>> +	if (unlikely(item_size != sizeof(*ditem))) {
>> +		dev_item_err(leaf, slot, "invalid item size: has 
>> %u expect %zu",
>> +			     item_size, sizeof(*ditem));
>> +		return -EUCLEAN;
>> +	}
>> +
>>  	ditem = btrfs_item_ptr(leaf, slot, struct btrfs_dev_item);
>>  	if (btrfs_device_id(leaf, ditem) != key->offset) {
>>  		dev_item_err(leaf, slot,
>> --
>> 2.34.1
>>
>
> This adds a build warning, showing that the backport is not 
> correct, so
> I'll go drop this :(
>
And the warning is
========================================================================
arch/x86/kernel/head_64.o: warning: objtool: .text+0x5: 
unreachable instruction
fs/btrfs/tree-checker.c: In function 
\342\200\230check_dev_item\342\200\231:
fs/btrfs/tree-checker.c:950:53: warning: passing argument 2 of 
\342\200\230btrfs_item_size\342\200\231 makes pointer from integer 
without a cast [-Wint-conversion]
  950 |         const u32 item_size = btrfs_item_size(leaf, slot);
      |                                                     ^~~~
      |                                                     |
      |                                                     int
In file included from fs/btrfs/tree-checker.c:21:
fs/btrfs/ctree.h:1474:48: note: expected \342\200\230const struct 
btrfs_item *\342\200\231 but argument is of type 
\342\200\230int\342\200\231
 1474 |                                    const type *s) 
 \
      |                                    ~~~~~~~~~~~~^
fs/btrfs/ctree.h:1833:1: note: in expansion of macro 
\342\200\230BTRFS_SETGET_FUNCS\342\200\231
 1833 | BTRFS_SETGET_FUNCS(item_size, struct btrfs_item, size, 
 32);
      | ^~~~~~~~~~~~~~~~~~
========================================================================

The upstream patchset[1] merged in 5.17-rc1, changed second 
parameter
of btrfs_item_size() from btrfs_item * to int directly.
So yes, the backport is wrong.

I'm not familiar with stable backport progress. Should I file a 
patch
using btrfs_item *? Or just drop it?

The patch is related to  0c982944af27d131d3b74242f3528169f66950ad 
but
I wonder why the 0c98294 is not selected automatically.

Thanks.

[1]: 
https://patchwork.kernel.org/project/linux-btrfs/cover/cover.1634842475.git.josef@toxicpanda.com/
--
Su
> thanks,
>
> greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ