lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <30B88888-4652-45B9-974F-C06468D30AD5@dilger.ca>
Date:   Thu, 3 Aug 2023 16:31:59 -0600
From:   Andreas Dilger <adilger@...ger.ca>
To:     zhangshida <starzhangzsd@...il.com>
Cc:     Theodore Ts'o <tytso@....edu>, Zhang Yi <yi.zhang@...wei.com>,
        "Darrick J. Wong" <djwong@...nel.org>,
        Ext4 Developers List <linux-ext4@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        zhangshida@...inos.cn, stable@...nel.org
Subject: Re: [PATCH v4] ext4: Fix rec_len verify error

On Aug 3, 2023, at 12:09 AM, zhangshida <starzhangzsd@...il.com> wrote:
> 
> From: Shida Zhang <zhangshida@...inos.cn>
> 
> With the configuration PAGE_SIZE 64k and filesystem blocksize 64k,
> a problem occurred when more than 13 million files were directly created
> under a directory:
> 
> EXT4-fs error (device xx): ext4_dx_csum_set:492: inode #xxxx: comm xxxxx: dir seems corrupt?  Run e2fsck -D.
> EXT4-fs error (device xx): ext4_dx_csum_verify:463: inode #xxxx: comm xxxxx: dir seems corrupt?  Run e2fsck -D.
> EXT4-fs error (device xx): dx_probe:856: inode #xxxx: block 8188: comm xxxxx: Directory index failed checksum
> 
> When enough files are created, the fake_dirent->reclen will be 0xffff.
> it doesn't equal to the blocksize 65536, i.e. 0x10000.
> 
> But it is not the same condition when blocksize equals to 4k.
> when enough files are created, the fake_dirent->reclen will be 0x1000.
> it equals to the blocksize 4k, i.e. 0x1000.
> 
> The problem seems to be related to the limitation of the 16-bit field
> when the blocksize is set to 64k.
> To address this, helpers like ext4_rec_len_{from,to}_disk has already
> been introduced to complete the conversion between the encoded and the
> plain form of rec_len.
> 
> So fix this one by using the helper, and all the other in this file too.
> 
> Cc: stable@...nel.org
> Fixes: dbe89444042a ("ext4: Calculate and verify checksums for htree nodes")
> Suggested-by: Andreas Dilger <adilger@...ger.ca>
> Suggested-by: Darrick J. Wong <djwong@...nel.org>
> Signed-off-by: Shida Zhang <zhangshida@...inos.cn>

Thanks for the updated patch.  You can add:

Reviewed-by: Andreas Dilger <adilger@...ger.ca>

> ---
> v3->v4:
> 1,Convert all the other rec_len, litrerally.
> 2,Lift a helper output to a local variable.
> --Suggested by Darrick.
> v2->v3:
> 1,Convert all the other rec_len if necessary, as suggested by Darrick.
> 2,Rephrase the commit message.
> v1->v2:
> Use the existing helper to covert the rec_len, as suggested by Andreas.
> 
> fs/ext4/namei.c | 26 +++++++++++++++-----------
> 1 file changed, 15 insertions(+), 11 deletions(-)
> 
> diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
> index 0caf6c730ce3..34fb2d1e66aa 100644
> --- a/fs/ext4/namei.c
> +++ b/fs/ext4/namei.c
> @@ -343,17 +343,17 @@ static struct ext4_dir_entry_tail *get_dirent_tail(struct inode *inode,
> 						   struct buffer_head *bh)
> {
> 	struct ext4_dir_entry_tail *t;
> +	int blocksize = EXT4_BLOCK_SIZE(inode->i_sb);
> 
> #ifdef PARANOID
> 	struct ext4_dir_entry *d, *top;
> 
> 	d = (struct ext4_dir_entry *)bh->b_data;
> 	top = (struct ext4_dir_entry *)(bh->b_data +
> -		(EXT4_BLOCK_SIZE(inode->i_sb) -
> -		 sizeof(struct ext4_dir_entry_tail)));
> -	while (d < top && d->rec_len)
> +		(blocksize - sizeof(struct ext4_dir_entry_tail)));
> +	while (d < top && ext4_rec_len_from_disk(d->rec_len, blocksize))
> 		d = (struct ext4_dir_entry *)(((void *)d) +
> -		    le16_to_cpu(d->rec_len));
> +		    ext4_rec_len_from_disk(d->rec_len, blocksize));
> 
> 	if (d != top)
> 		return NULL;
> @@ -364,7 +364,8 @@ static struct ext4_dir_entry_tail *get_dirent_tail(struct inode *inode,
> #endif
> 
> 	if (t->det_reserved_zero1 ||
> -	    le16_to_cpu(t->det_rec_len) != sizeof(struct ext4_dir_entry_tail) ||
> +	    (ext4_rec_len_from_disk(t->det_rec_len, blocksize) !=
> +	     sizeof(struct ext4_dir_entry_tail)) ||
> 	    t->det_reserved_zero2 ||
> 	    t->det_reserved_ft != EXT4_FT_DIR_CSUM)
> 		return NULL;
> @@ -445,13 +446,14 @@ static struct dx_countlimit *get_dx_countlimit(struct inode *inode,
> 	struct ext4_dir_entry *dp;
> 	struct dx_root_info *root;
> 	int count_offset;
> +	int blocksize = EXT4_BLOCK_SIZE(inode->i_sb);
> +	unsigned int rlen = ext4_rec_len_from_disk(dirent->rec_len, blocksize);
> 
> -	if (le16_to_cpu(dirent->rec_len) == EXT4_BLOCK_SIZE(inode->i_sb))
> +	if (rlen == blocksize)
> 		count_offset = 8;
> -	else if (le16_to_cpu(dirent->rec_len) == 12) {
> +	else if (rlen == 12) {
> 		dp = (struct ext4_dir_entry *)(((void *)dirent) + 12);
> -		if (le16_to_cpu(dp->rec_len) !=
> -		    EXT4_BLOCK_SIZE(inode->i_sb) - 12)
> +		if (ext4_rec_len_from_disk(dp->rec_len, blocksize) != blocksize - 12)
> 			return NULL;
> 		root = (struct dx_root_info *)(((void *)dp + 12));
> 		if (root->reserved_zero ||
> @@ -1315,6 +1317,7 @@ static int dx_make_map(struct inode *dir, struct buffer_head *bh,
> 	unsigned int buflen = bh->b_size;
> 	char *base = bh->b_data;
> 	struct dx_hash_info h = *hinfo;
> +	int blocksize = EXT4_BLOCK_SIZE(dir->i_sb);
> 
> 	if (ext4_has_metadata_csum(dir->i_sb))
> 		buflen -= sizeof(struct ext4_dir_entry_tail);
> @@ -1335,11 +1338,12 @@ static int dx_make_map(struct inode *dir, struct buffer_head *bh,
> 			map_tail--;
> 			map_tail->hash = h.hash;
> 			map_tail->offs = ((char *) de - base)>>2;
> -			map_tail->size = le16_to_cpu(de->rec_len);
> +			map_tail->size = ext4_rec_len_from_disk(de->rec_len,
> +								blocksize);
> 			count++;
> 			cond_resched();
> 		}
> -		de = ext4_next_entry(de, dir->i_sb->s_blocksize);
> +		de = ext4_next_entry(de, blocksize);
> 	}
> 	return count;
> }
> --
> 2.27.0
> 


Cheers, Andreas






Download attachment "signature.asc" of type "application/pgp-signature" (874 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ