lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 16 Nov 2023 15:09:28 +0800
From:   Wenchao Hao <haowenchao2@...wei.com>
To:     Xiubo Li <xiubli@...hat.com>, Ilya Dryomov <idryomov@...il.com>
CC:     Jeff Layton <jlayton@...nel.org>, <ceph-devel@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>, <louhongxiang@...wei.com>
Subject: Re: [PATCH] ceph: quota: Fix invalid pointer access in

On 2023/11/16 11:06, Xiubo Li wrote:
> 
> On 11/16/23 10:54, Wenchao Hao wrote:
>> On 2023/11/15 21:34, Xiubo Li wrote:
>>>
>>> On 11/15/23 21:25, Ilya Dryomov wrote:
>>>> On Wed, Nov 15, 2023 at 2:17 PM Xiubo Li <xiubli@...hat.com> wrote:
>>>>>
>>>>> On 11/15/23 20:32, Ilya Dryomov wrote:
>>>>>> On Wed, Nov 15, 2023 at 1:35 AM Xiubo Li <xiubli@...hat.com> wrote:
>>>>>>> On 11/14/23 23:31, Wenchao Hao wrote:
>>>>>>>> This issue is reported by smatch, get_quota_realm() might return
>>>>>>>> ERR_PTR, so we should using IS_ERR_OR_NULL here to check the return
>>>>>>>> value.
>>>>>>>>
>>>>>>>> Signed-off-by: Wenchao Hao <haowenchao2@...wei.com>
>>>>>>>> ---
>>>>>>>>     fs/ceph/quota.c | 2 +-
>>>>>>>>     1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>>>>
>>>>>>>> diff --git a/fs/ceph/quota.c b/fs/ceph/quota.c
>>>>>>>> index 9d36c3532de1..c4b2929c6a83 100644
>>>>>>>> --- a/fs/ceph/quota.c
>>>>>>>> +++ b/fs/ceph/quota.c
>>>>>>>> @@ -495,7 +495,7 @@ bool ceph_quota_update_statfs(struct ceph_fs_client *fsc, struct kstatfs *buf)
>>>>>>>>         realm = get_quota_realm(mdsc, d_inode(fsc->sb->s_root),
>>>>>>>>                                 QUOTA_GET_MAX_BYTES, true);
>>>>>>>>         up_read(&mdsc->snap_rwsem);
>>>>>>>> -     if (!realm)
>>>>>>>> +     if (IS_ERR_OR_NULL(realm))
>>>>>>>>                 return false;
>>>>>>>>
>>>>>>>> spin_lock(&realm->inodes_with_caps_lock);
>>>>>>> Good catch.
>>>>>>>
>>>>>>> Reviewed-by: Xiubo Li <xiubli@...hat.com>
>>>>>>>
>>>>>>> We should CC the stable mail list.
>>>>>> Hi Xiubo,
>>>>>>
>>>>>> What exactly is being fixed here?  get_quota_realm() is called with
>>>>>> retry=true, which means that no errors can be returned -- EAGAIN, the
>>>>>> only error that get_quota_realm() can otherwise generate, would be
>>>>>> handled internally by retrying.
>>>>> Yeah, that's true.
>>>>>
>>>>>> Am I missing something that makes this qualify for stable?
>>>>> Actually it's just for the smatch check for now.
>>>>>
>>>>> IMO we shouldn't depend on the 'retry', just potentially for new changes
>>>>> in future could return a ERR_PTR and cause potential bugs.
>>>> At present, ceph_quota_is_same_realm() also depends on it -- note how
>>>> old_realm isn't checked for errors at all and new_realm is only checked
>>>> for EAGAIN there.
>>>>
>>>>> If that's not worth to make it for stable, let's remove it.
>>>> Yes, let's remove it.  Please update the commit message as well, so
>>>> that it's clear that this is squashing a static checker warning and
>>>> doesn't actually fix any immediate bug.
>>>
>>> WenChao,
>>>
>>> Could update the commit comment and send the V2 ?
>>>
>>
>> OK, I would update the commit comment as following:
>>
>> This issue is reported by smatch, get_quota_realm() might return
>> ERR_PTR. It's not a immediate bug because get_quota_realm() is called
>> with 'retry=true', no errors can be returned.
>>
>> While we still should check the return value of get_quota_realm() with
>> IS_ERR_OR_NULL to avoid potential bugs if get_quota_realm() is changed
>> to return other ERR_PTR in future.
>>
>> What's more, should I change the ceph_quota_is_same_realm() too?
>>
> Yeah, please. Let's fix them all.
> 

is_same is return as true if both old_realm and new_realm are NULL, I do not
want to change the origin logic except add check for ERR_PTR, so following
is my change:

1. make sure xxx_realm is valid before calling ceph_put_snap_realm.
2. return false if new_realm or old_realm is ERR_PTR, this is newly added
    and now we would always run with the else branch.

diff --git a/fs/ceph/quota.c b/fs/ceph/quota.c
index c4b2929c6a83..8da9ffb05395 100644
--- a/fs/ceph/quota.c
+++ b/fs/ceph/quota.c
@@ -290,16 +290,20 @@ bool ceph_quota_is_same_realm(struct inode *old, struct inode *new)
         new_realm = get_quota_realm(mdsc, new, QUOTA_GET_ANY, false);
         if (PTR_ERR(new_realm) == -EAGAIN) {
                 up_read(&mdsc->snap_rwsem);
-               if (old_realm)
+               if (!IS_ERR_OR_NULL(old_realm))
                         ceph_put_snap_realm(mdsc, old_realm);
                 goto restart;
         }
-       is_same = (old_realm == new_realm);
         up_read(&mdsc->snap_rwsem);
  
-       if (old_realm)
+       if (IS_ERR(new_realm))
+               is_same = false;
+       else
+               is_same = (old_realm == new_realm);
+
+       if (!IS_ERR_OR_NULL(old_realm))
                 ceph_put_snap_realm(mdsc, old_realm);
-       if (new_realm)
+       if (!IS_ERR_OR_NULL(new_realm))
                 ceph_put_snap_realm(mdsc, new_realm);
  
         return is_same;


> Thanks
> 
> - Xiubo
> 
> 
>> Thanks
>>
>>> Thanks
>>>
>>> - Xiubo
>>>
>>>
>>>> Thanks,
>>>>
>>>>                  Ilya
>>>>
>>>
>>
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ