lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 23 Sep 2022 13:44:20 +0200
From:   Jan Kara <jack@...e.cz>
To:     Zhihao Cheng <chengzhihao1@...wei.com>
Cc:     jack@...e.com, tytso@....edu, brauner@...nel.org,
        linux-fsdevel@...r.kernel.org, linux-ext4@...r.kernel.org,
        linux-kernel@...r.kernel.org, yukuai3@...wei.com
Subject: Re: [PATCH v2 3/3] quota: Add more checking after reading from quota
 file

On Thu 22-09-22 21:04:01, Zhihao Cheng wrote:
> It would be better to do more sanity checking (eg. dqdh_entries,
> block no.) for the content read from quota file, which can prevent
> corrupting the quota file.
> 
> Signed-off-by: Zhihao Cheng <chengzhihao1@...wei.com>
> ---
>  fs/quota/quota_tree.c | 43 +++++++++++++++++++++++++++++++++----------
>  1 file changed, 33 insertions(+), 10 deletions(-)
> 
> diff --git a/fs/quota/quota_tree.c b/fs/quota/quota_tree.c
> index 47711e739ddb..54fe4ad71de5 100644
> --- a/fs/quota/quota_tree.c
> +++ b/fs/quota/quota_tree.c
> @@ -71,12 +71,12 @@ static ssize_t write_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf)
>  	return ret;
>  }
>  
> -static inline int do_check_range(struct super_block *sb, uint val,
> -				 uint min_val, uint max_val)
> +static inline int do_check_range(struct super_block *sb, const char *val_name,
> +				 uint val, uint min_val, uint max_val)
>  {
>  	if (val < min_val || val >= max_val) {
> -		quota_error(sb, "Getting block %u out of range %u-%u",
> -			    val, min_val, max_val);
> +		quota_error(sb, "Getting %s %u out of range %u-%u",
> +			    val_name, val, min_val, max_val);
>  		return -EUCLEAN;
>  	}

As I already wrote in my comments to v1, please create do_check_range()
already with this prototype in patch 1 so that you don't have to update it
(and all the call sites) in each of the patches. It makes review simpler.

> @@ -268,6 +270,11 @@ static uint find_free_dqentry(struct qtree_mem_dqinfo *info,
>  		*err = check_dquot_block_header(info, dh);
>  		if (*err)
>  			goto out_buf;
> +		*err = do_check_range(info->dqi_sb, "dqdh_entries",
> +				      le16_to_cpu(dh->dqdh_entries), 0,
> +				      qtree_dqstr_in_blk(info));
> +		if (*err)
> +			goto out_buf;

The checking of dqdh_entries belongs into check_dquot_block_header(). That
was the reason why it was created. So that all the checks are together in
one function...

>  	} else {
>  		blk = get_free_dqblk(info);
>  		if ((int)blk < 0) {
> @@ -349,6 +356,10 @@ static int do_insert_tree(struct qtree_mem_dqinfo *info, struct dquot *dquot,
>  	}
>  	ref = (__le32 *)buf;
>  	newblk = le32_to_cpu(ref[get_index(info, dquot->dq_id, depth)]);
> +	ret = do_check_range(dquot->dq_sb, "block", newblk, 0,
> +			     info->dqi_blocks);
> +	if (ret)
> +		goto out_buf;
>  	if (!newblk)
>  		newson = 1;
>  	if (depth == info->dqi_qtree_depth - 1) {
> @@ -461,6 +472,11 @@ static int free_dqentry(struct qtree_mem_dqinfo *info, struct dquot *dquot,
>  	}
>  	dh = (struct qt_disk_dqdbheader *)buf;
>  	ret = check_dquot_block_header(info, dh);
> +	if (ret)
> +		goto out_buf;
> +	ret = do_check_range(info->dqi_sb, "dqdh_entries",
> +			     le16_to_cpu(dh->dqdh_entries), 1,
> +			     qtree_dqstr_in_blk(info) + 1);

Again, the check of dqdh_entries should be in check_dquot_block_header().

> @@ -739,7 +756,13 @@ static int find_next_id(struct qtree_mem_dqinfo *info, qid_t *id,
>  		goto out_buf;
>  	}
>  	for (i = __get_index(info, *id, depth); i < epb; i++) {
> -		if (ref[i] == cpu_to_le32(0)) {
> +		uint blk_no = le32_to_cpu(ref[i]);
> +
> +		ret = do_check_range(info->dqi_sb, "block", blk_no, 0,
> +				     info->dqi_blocks);
> +		if (ret)
> +			goto out_buf;
> +		if (blk_no == 0) {
>  			*id += level_inc;
>  			continue;
>  		}

I'd leave checking for 0 first here - i.e.:
		if (ref[i] == cpu_to_le32(0)) {
  			*id += level_inc;
  			continue;
  		}

and only then do:
		blk_no = le32_to_cpu(ref[i]);
		ret = do_check_range(...);

There's no point in checking known-good value.

								Honza

-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists