The ntfs_get_ea() function returns negative error codes or on success
it returns the length. In the original code a zero length return was
treated as -ENODATA and results in a NULL return. But it should be
treated as an invalid length and result in an PTR_ERR(-EINVAL) return.
Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations")
Signed-off-by: Dan Carpenter <[email protected]>
---
I'm not super familiar with this code. Please review this one
extra carefully. I think it's theoretical because hopefully
ntfs_get_ea() doesn't ever return invalid lengths.
fs/ntfs3/xattr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
index 9239c388050e..e8ed38d0c4c9 100644
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -521,7 +521,7 @@ static struct posix_acl *ntfs_get_acl_ex(struct user_namespace *mnt_userns,
ni_unlock(ni);
/* Translate extended attribute to acl */
- if (err > 0) {
+ if (err >= 0) {
acl = posix_acl_from_xattr(mnt_userns, buf, err);
if (!IS_ERR(acl))
set_cached_acl(inode, type, acl);
--
2.20.1
On Tue, Aug 24, 2021 at 02:48:58PM +0300, Dan Carpenter wrote:
> The ntfs_get_ea() function returns negative error codes or on success
Not reletad to this patch but ntfs_get_wsl_perm() seems quite bug
because in there ntfs_get_ea use is not checked at all.
Also ntfs_getxattr() should probably send errno if ntfs_get_ea() is 0.
> it returns the length. In the original code a zero length return was
> treated as -ENODATA and results in a NULL return. But it should be
> treated as an invalid length and result in an PTR_ERR(-EINVAL) return.
>
> Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations")
> Signed-off-by: Dan Carpenter <[email protected]>
>
> I'm not super familiar with this code. Please review this one
> extra carefully. I think it's theoretical because hopefully
> ntfs_get_ea() doesn't ever return invalid lengths.
ntfs_get_ea() will return 0 if no info and this can happend quite
easily in my eyes.
Here's snippets
ntfs_read_ea()
{
attr_info =
ni_find_attr(ni, NULL, &le, ATTR_EA_INFO, NULL, 0, NULL, NULL);
attr_ea =
ni_find_attr(ni, attr_info, &le, ATTR_EA, NULL, 0, NULL, NULL);
if (!attr_ea || !attr_info)
return 0;
}
ntfs_get_ea()
{
len = 0;
err = ntfs_read_ea(ni, &ea_all, 0, &info);
if (err)
goto out;
if (!info)
goto out;
out:
return err ? err : len;
}
>
> fs/ntfs3/xattr.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
> index 9239c388050e..e8ed38d0c4c9 100644
> --- a/fs/ntfs3/xattr.c
> +++ b/fs/ntfs3/xattr.c
> @@ -521,7 +521,7 @@ static struct posix_acl *ntfs_get_acl_ex(struct user_namespace *mnt_userns,
> ni_unlock(ni);
>
> /* Translate extended attribute to acl */
> - if (err > 0) {
> + if (err >= 0) {
So now if err (size) is 0 it will try to get acl. Didn't you just say
that you want to return PTR_ERR(-EINVAL)?
So overall good finding but maybe more work is needed with this one.
> acl = posix_acl_from_xattr(mnt_userns, buf, err);
> if (!IS_ERR(acl))
> set_cached_acl(inode, type, acl);
> --
> 2.20.1
>
>
On Tue, Aug 24, 2021 at 07:38:51PM +0300, Kari Argillander wrote:
> On Tue, Aug 24, 2021 at 02:48:58PM +0300, Dan Carpenter wrote:
> > diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
> > index 9239c388050e..e8ed38d0c4c9 100644
> > --- a/fs/ntfs3/xattr.c
> > +++ b/fs/ntfs3/xattr.c
> > @@ -521,7 +521,7 @@ static struct posix_acl *ntfs_get_acl_ex(struct user_namespace *mnt_userns,
> > ni_unlock(ni);
> >
> > /* Translate extended attribute to acl */
> > - if (err > 0) {
> > + if (err >= 0) {
>
> So now if err (size) is 0 it will try to get acl. Didn't you just say
> that you want to return PTR_ERR(-EINVAL)?
>
If you pass an invalid too short size to posix_acl_from_xattr() then it
returns PTR_ERR(-EINVAL). It was hard to phrase this in the change log
but I feel like length of 1 and 0 should be treated the same.
> So overall good finding but maybe more work is needed with this one.
>
> > acl = posix_acl_from_xattr(mnt_userns, buf, err);
> > if (!IS_ERR(acl))
> > set_cached_acl(inode, type, acl);
regards,
dan carpenter
> From: Dan Carpenter <[email protected]>
> Sent: Tuesday, August 24, 2021 8:07 PM
> To: Kari Argillander <[email protected]>
> Cc: Konstantin Komarov <[email protected]>; [email protected]; [email protected]; kernel-
> [email protected]
> Subject: Re: [PATCH] fs/ntfs3: fix an error code in ntfs_get_acl_ex()
>
> On Tue, Aug 24, 2021 at 07:38:51PM +0300, Kari Argillander wrote:
> > On Tue, Aug 24, 2021 at 02:48:58PM +0300, Dan Carpenter wrote:
> > > diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
> > > index 9239c388050e..e8ed38d0c4c9 100644
> > > --- a/fs/ntfs3/xattr.c
> > > +++ b/fs/ntfs3/xattr.c
> > > @@ -521,7 +521,7 @@ static struct posix_acl *ntfs_get_acl_ex(struct user_namespace *mnt_userns,
> > > ni_unlock(ni);
> > >
> > > /* Translate extended attribute to acl */
> > > - if (err > 0) {
> > > + if (err >= 0) {
> >
> > So now if err (size) is 0 it will try to get acl. Didn't you just say
> > that you want to return PTR_ERR(-EINVAL)?
> >
>
> If you pass an invalid too short size to posix_acl_from_xattr() then it
> returns PTR_ERR(-EINVAL). It was hard to phrase this in the change log
> but I feel like length of 1 and 0 should be treated the same.
>
>
> > So overall good finding but maybe more work is needed with this one.
> >
> > > acl = posix_acl_from_xattr(mnt_userns, buf, err);
> > > if (!IS_ERR(acl))
> > > set_cached_acl(inode, type, acl);
>
> regards,
> dan carpenter
>
Applied, thanks!