| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 May 2022 21:44:31 +0800
From: Baokun Li <libaokun1@...wei.com>
To: Jan Kara <jack@...e.cz>
CC: <lczerner@...hat.com>, <linux-ext4@...r.kernel.org>,
<tytso@....edu>, <adilger.kernel@...ger.ca>,
<ritesh.list@...il.com>, <linux-kernel@...r.kernel.org>,
<yi.zhang@...wei.com>, <yebin10@...wei.com>, <yukuai3@...wei.com>,
Baokun Li <libaokun1@...wei.com>
Subject: Re: [PATCH 2/2] ext4: correct the judgment of BUG in
ext4_mb_normalize_request
在 2022/5/24 17:30, Jan Kara 写道:
> On Mon 23-05-22 21:04:16, libaokun (A) wrote:
>> 在 2022/5/23 17:40, Jan Kara 写道:
>>> On Sat 21-05-22 21:42:17, Baokun Li wrote:
>>>> When either of the "start + size <= ac->ac_o_ex.fe_logical" or
>>>> "start > ac->ac_o_ex.fe_logical" conditions is met, it indicates
>>>> that the fe_logical is not in the allocated range.
>>>> In this case, it should be bug_ON.
>>>>
>>>> Fixes: dfe076c106f6 ("ext4: get rid of code duplication")
>>>> Signed-off-by: Baokun Li<libaokun1@...wei.com>
>>> I think this is actually wrong. The original condition checks whether
>>> start + size does not overflow the used integer type. Your condition is
>>> much stronger and I don't think it always has to be true. E.g. allocation
>>> goal block (start variable) can be pushed to larger values by existing
>>> preallocation or so.
>>>
>>> Honza
>>>
>> I think there are two reasons for this:
>>
>> First of all, the code here is as follows.
>> ```
>> size = end - start;
>> [...]
>> if (start + size <= ac->ac_o_ex.fe_logical &&
>> start > ac->ac_o_ex.fe_logical) {
>> ext4_msg(ac->ac_sb, KERN_ERR,
>> "start %lu, size %lu, fe_logical %lu",
>> (unsigned long) start, (unsigned long) size,
>> (unsigned long) ac->ac_o_ex.fe_logical);
>> BUG();
>> }
>> BUG_ON(size <= 0 || size > EXT4_BLOCKS_PER_GROUP(ac->ac_sb));
>> ```
>> First of all, there is no need to compare with ac_o_ex.fe_logical if it is
>> to determine whether there is an overflow.
>> Because the previous logic guarantees start < = ac_o_ex.fe_logical, and
> How does it guarantee that? The logic:
>
> if (ar->pleft && start <= ar->lleft) {
> size -= ar->lleft + 1 - start;
> start = ar->lleft + 1;
> }
>
> can move 'start' to further blocks...
This is not the case. According to the code of the preceding process,
ar->pleft and ar->pright are assigned values in ext4_ext_map_blocks.
ar->pleft is the first allocated block found to the left by map->m_lblk
(that is, fe_logical),
and ar->pright is the first allocated block found to the right.
ar->lleft and ar->lright are logical block numbers, so there must be
"ar->lleft < ac_o_ex.fe_logical < ar->lright".
>
>> limits the scope of size in
>> "BUG_ON (size < = 0 | | size > EXT4_BLOCKS_PER_GROUP (ac- > ac_sb))"
>> immediately following.
> OK, but what guarantees that ac_o_ex.fe_logical < UINT_MAX - size?
When ac_o_ex.fe_logical is too large to overflow, predict filesize
enters the last branch.
In this case, start = ac->ac_o_ex.fe_logical and size = ac->ac_o_ex.fe_len.
However, the overflow is checked in ext4_ext_check_overlap of
ext4_ext_map_blocks.
The code is as follows:
```
1898 /* check for wrap through zero on extent logical start block*/
1899 if (b1 + len1 < b1) {
1900 len1 = EXT_MAX_BLOCKS - b1;
1901 newext->ee_len = cpu_to_le16(len1);
1902 ret = 1;
1903 }
```
Therefore, no overflow occurs.
>
>> Secondly, the following code flow also reflects this logic.
>>
>> ext4_mb_normalize_request
>> >>> start + size <= ac->ac_o_ex.fe_logical
>> ext4_mb_regular_allocator
>> ext4_mb_simple_scan_group
>> ext4_mb_use_best_found
>> ext4_mb_new_preallocation
>> ext4_mb_new_inode_pa
>> ext4_mb_use_inode_pa
>> >>> set ac->ac_b_ex.fe_len <= 0
>> ext4_mb_mark_diskspace_used
>> >>> BUG_ON(ac->ac_b_ex.fe_len <= 0);
>>
>> In ext4_mb_use_inode_pa, you have the following code.
>> ```
>> start = pa->pa_pstart + (ac->ac_o_ex.fe_logical - pa->pa_lstart);
>> end = min(pa->pa_pstart + EXT4_C2B(sbi, pa->pa_len), start + EXT4_C2B(sbi,
>> ac->ac_o_ex.fe_len));
>> len = EXT4_NUM_B2C(sbi, end - start);
>> ac->ac_b_ex.fe_len = len;
>> ```
>> The starting position in ext4_mb_mark_diskspace_used will be assert.
>> BUG_ON(ac->ac_b_ex.fe_len <= 0);
>>
>> When end == start + EXT4_C2B(sbi, ac->ac_o_ex.fe_len) is used, the value of
>> end - start must be greater than 0.
>> However, when end == pa->pa_pstart + EXT4_C2B(sbi, pa->pa_len) occurs, this
>> bug_ON may be triggered.
>> When this bug_ON is triggered, that is,
>>
>> ac->ac_b_ex.fe_len <= 0
>> end - start <= 0
>> end <= start
>> pa->pa_pstart + EXT4_C2B(sbi, pa->pa_len) <= pa->pa_pstart +
>> (ac->ac_o_ex.fe_logical - pa->pa_lstart)
>> pa->pa_len <= ac->ac_o_ex.fe_logical - pa->pa_lstart
>> pa->pa_lstart + pa->pa_len <= ac->ac_o_ex.fe_logical
>> start + size <= ac->ac_o_ex.fe_logical
>>
>> So I think that "&&" here should be changed to "||".
> Sorry, I still disagree. After some more code reading I agree that
> ac->ac_o_ex.fe_logical is the logical block where we want allocated blocks
> to be placed in the inode so logical extent of allocated blocks should include
> ac->ac_o_ex.fe_logical. But I would be reluctant to make assertion you
> suggest unless we make sure ac->ac_o_ex.fe_logical in unallocated (in which
> case we can also remove some other code from ext4_mb_normalize_request()).
>
> Honza
>
What codes are you referring to that can be deleted?
--
With Best Regards,
Baokun Li
Powered by blists - more mailing lists