| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_0DCC0C781E6C402F756C3C9758E9F6EE720A@qq.com> Date: Wed, 21 Aug 2024 19:15:07 +0800 From: Edward Adam Davis <eadavis@...com> To: joseph.qi@...ux.alibaba.com Cc: eadavis@...com, jlbec@...lplan.org, linux-kernel@...r.kernel.org, mark@...heh.com, ocfs2-devel@...ts.linux.dev, syzbot+5a64828fcc4c2ad9b04f@...kaller.appspotmail.com, syzkaller-bugs@...glegroups.com Subject: Re: [PATCH] ocfs2: Add i_size check for dir On Wed, 21 Aug 2024 18:41:06 +0800, Joseph Qi wrote: >>>> When the i_size of dir is too large, it will cause limit to overflow and >>>> be less than de_buf, ultimately resulting in last_de not being initialized >>>> and causing uaf issue. >>>> >>>> Reported-and-tested-by: syzbot+5a64828fcc4c2ad9b04f@...kaller.appspotmail.com >>>> Signed-off-by: Edward Adam Davis <eadavis@...com> >>>> --- >>>> fs/ocfs2/dir.c | 2 ++ >>>> 1 file changed, 2 insertions(+) >>>> >>>> diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c >>>> index d620d4c53c6f..c308dba6d213 100644 >>>> --- a/fs/ocfs2/dir.c >>>> +++ b/fs/ocfs2/dir.c >>>> @@ -3343,6 +3343,8 @@ static int ocfs2_find_dir_space_id(struct inode *dir, struct buffer_head *di_bh, >>>> unsigned long offset = 0; >>>> unsigned int rec_len, new_rec_len, free_space; >>>> >>>> + if (i_size_read(dir) > OCFS2_MAX_BLOCKSIZE) >>>> + return -EINVAL; >>> >>> Why OCFS2_MAX_BLOCKSIZE? >> I think it is largest block size in ocfs2, therefore, if it is larger >> than it, it must be incorrect, even though the value of i_size in dir >> in the current issue is much larger than it (i_size_read(dir) is 0x900000000000100). >>> It seems that this is caused by a corrupted dir inode, since this is an >>> inline case, we may try best to make sure it won't exceeds block size? >>> i.e. dir->i_sb->s_blocksize. >> You mean dir->i_sb->s_blocksize bigger than OCFS2_MAX_BLOCKSIZE? >> >No, I mean check s_blocksize seems more reasonable rather than >OCFS2_MAX_BLOCKSIZE. Perhaps we have different perspectives on the issue. My approach is to set a bottom line for the dir's i_size, and if it exceeds the bottom line, the dir will definitely be corrupted. And I think OCFS2_MAX_BLOCKSIZE is the reasonable bottom line. BR, Edward
Powered by blists - more mailing lists