Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755399AbbBUBNf (ORCPT ); Fri, 20 Feb 2015 20:13:35 -0500 Received: from mail-pd0-f179.google.com ([209.85.192.179]:34157 "EHLO mail-pd0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754616AbbBUBNe (ORCPT ); Fri, 20 Feb 2015 20:13:34 -0500 Date: Sat, 21 Feb 2015 10:13:28 +0900 (JST) Message-Id: <20150221.101328.1613471465739082397.konishi.ryusuke@lab.ntt.co.jp> To: Andrew Morton Cc: linux-kernel@vger.kernel.org, linux-nilfs@vger.kernel.org Subject: Re: [PATCH 1/1] nilfs2: fix potential memory overrun on inode From: Ryusuke Konishi In-Reply-To: <20150221.092208.1795135375638032743.konishi.ryusuke@lab.ntt.co.jp> References: <1424439995-613-2-git-send-email-konishi.ryusuke@lab.ntt.co.jp> <20150220135842.0cd5c9338316a8a20b6a604a@linux-foundation.org> <20150221.092208.1795135375638032743.konishi.ryusuke@lab.ntt.co.jp> X-Mailer: Mew version 6.6 on Emacs 24.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2893 Lines: 75 On Sat, 21 Feb 2015 09:22:08 +0900 (JST), Ryusuke Konishi wrote: > On Fri, 20 Feb 2015 13:58:42 -0800, Andrew Morton wrote: >> On Fri, 20 Feb 2015 22:46:35 +0900 Ryusuke Konishi wrote: >> >>> Each inode of nilfs2 stores a root node of a b-tree, and it turned out >>> to have a memory overrun issue: >>> >>> Each b-tree node of nilfs2 stores a set of key-value pairs and the >>> number of them (in "bn_nchildren" member of nilfs_btree_node struct), >>> as well as a few other "bn_*" members. >>> >>> Since the value of "bn_nchildren" is used for operations on the >>> key-values within the b-tree node, it can cause memory access overrun >>> if a large number is incorrectly set to "bn_nchildren". >>> >>> For instance, nilfs_btree_node_lookup() function determines the range >>> of binary search with it, and too large "bn_nchildren" leads >>> nilfs_btree_node_get_key() in that function to overrun. >>> >>> As for intermediate b-tree nodes, this is prevented by a sanity check >>> performed when each node is read from a drive, however, no sanity >>> check has been done for root nodes stored in inodes. >>> >>> This patch fixes the issue by adding missing sanity check against >>> b-tree root nodes so that it's called when on-memory inodes are read >>> from ifile, inode metadata file. >> >> How would one trigger this overrun? Mount an fs with a deliberately >> corrupted/inconsistent fs image? > > Yes, this can be triggered by mounting an fs with a corrupted image > deliberately or by chance. > >> Memory overrun sounds nasty so I'm thinking we add cc:stable to this >> one. OK? > > Agreed. Could you apply the following amendment ? I've got a warning from 0day kernel testing backend: fs/nilfs2/btree.c: In function 'nilfs_btree_root_broken': >> fs/nilfs2/btree.c:394:3: warning: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'ino_t' [-Wformat=] pr_crit("NILFS: bad btree root (inode number=%lu): level = %d, flags = 0x%x, nchildren = %d\n", ^ This is output for s390 arch since ino_t doesn't mean "unsigned long" in s390. Thanks, Ryusuke Konishi -- diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c index c645d7c..ecdbae1 100644 --- a/fs/nilfs2/btree.c +++ b/fs/nilfs2/btree.c @@ -378,7 +378,7 @@ static int nilfs_btree_node_broken(const struct nilfs_btree_node *node, * Return Value: If node is broken, 1 is returned. Otherwise, 0 is returned. */ static int nilfs_btree_root_broken(const struct nilfs_btree_node *node, - ino_t ino) + unsigned long ino) { int level, flags, nchildren; int ret = 0; -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/