lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 13 Sep 2022 09:26:01 +0800
From:   Chao Yu <chao@...nel.org>
To:     Jaegeuk Kim <jaegeuk@...nel.org>
Cc:     linux-f2fs-devel@...ts.sourceforge.net,
        linux-kernel@...r.kernel.org, Chao Yu <chao.yu@...o.com>
Subject: Re: [PATCH v2] f2fs: fix to disallow getting inner inode via
 f2fs_iget()

On 2022/9/12 23:39, Jaegeuk Kim wrote:
> On 09/08, Chao Yu wrote:
>> On 2022/9/8 10:19, Jaegeuk Kim wrote:
>>> On 09/08, Chao Yu wrote:
>>>> On 2022/9/8 10:02, Jaegeuk Kim wrote:
>>>>> On 08/31, Chao Yu wrote:
>>>>>> From: Chao Yu <chao.yu@...o.com>
>>>>>>
>>>>>> Introduce f2fs_iget_inner() for f2fs_fill_super() to get inner inode:
>>>>>> meta inode, node inode or compressed inode, and add f2fs_check_nid_range()
>>>>>> in f2fs_iget() to avoid getting inner inode from external interfaces.
>>>>>
>>>>> So, we don't want to check the range of inner inode numbers? What'd be the
>>>>> way to check it's okay?
>>>>
>>>> For node_ino, meta_ino, root_ino, we have checked them in sanity_check_raw_super()
>>>> as below:
>>>>
>>>> 	/* check reserved ino info */
>>>> 	if (le32_to_cpu(raw_super->node_ino) != 1 ||
>>>> 		le32_to_cpu(raw_super->meta_ino) != 2 ||
>>>> 		le32_to_cpu(raw_super->root_ino) != 3) {
>>>> 		f2fs_info(sbi, "Invalid Fs Meta Ino: node(%u) meta(%u) root(%u)",
>>>> 			  le32_to_cpu(raw_super->node_ino),
>>>> 			  le32_to_cpu(raw_super->meta_ino),
>>>> 			  le32_to_cpu(raw_super->root_ino));
>>>> 		return -EFSCORRUPTED;
>>>> 	}
>>>>
>>>> compressed_ino should always be NM_I(sbi)->max_nid, it can be checked in
>>>> f2fs_init_compress_inode()?
>>>
>>> Hmm, I'm not sure whether we really need this patch, since it'd look better
>>> to handle all the iget with single f2fs_iget?
>>
>> Well, the main concern is previously f2fs_iget() won't check validation for inner
>> inode due to it will skip do_read_inode() - f2fs_check_nid_range(), so that in a
>> fuzzed image, caller may pass inner ino into f2fs_iget(), result in incorrect use
>> of inner inode. So I add f2fs_check_nid_range() in prior to f2fs_iget_inner() in
>> f2fs_iget() as below to detect and avoid this case.
> 
> FWIW, sanity_check_raw_super() checked the inode numbers.

However, previously, f2fs_iget() will return inner inode to caller directly, if caller
passes meta_ino, node_ino or compress_ino to f2fs_iget()?

Thanks,

> 
>>
>>>>>> +struct inode *f2fs_iget(struct super_block *sb, unsigned long ino)
>>>>>> +{
>>>>>> +	int ret;
>>>>>> +
>>>>>> +	ret = f2fs_check_nid_range(F2FS_SB(sb), ino);
>>>>>> +	if (ret)
>>>>>> +		return ERR_PTR(ret);
>>>>>> +
>>>>>> +	return f2fs_iget_inner(sb, ino);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ