Received: by 2002:a05:6358:700f:b0:131:369:b2a3 with SMTP id 15csp337706rwo; Tue, 1 Aug 2023 18:24:17 -0700 (PDT) X-Google-Smtp-Source: APBJJlHm2bkc3mcj5ZHltv4eioQwec3KoVcIIVcnUp5YmEmDBCM35FwEldqBEz2btEUbRCAOdu6H X-Received: by 2002:a17:907:75d0:b0:989:450:e567 with SMTP id jl16-20020a17090775d000b009890450e567mr3851675ejc.65.1690939457569; Tue, 01 Aug 2023 18:24:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690939457; cv=none; d=google.com; s=arc-20160816; b=QmaiH0iE8QE+F8xbTd72ee2hErwpvsXq0vc/dnhUbytnw76lDKKkcHuC4N7DyZ2Og4 eLp8Oa3mqJH5XlkaeN+6xRXJxu7rtdkM8gcbce601twqnxk98G2q9QSGOKa0rncQ5QXD 5sLW4CPYZTtMhMm2MMRgoJuPEp5Za41/0EQ/ZThI/8p71WShc6EL63Z5t8FVByIegwvB TV4mUTcEdZLcnWdJ0/LujxEo4FWb2Qj001ruwiGCPzHJpkC1+B1AcTwJzufrUPjqLaCA 0EzdtdMtZcaJRJAKboGd2NZm7OU10+mjdNMcTGGUaYXOeFB+s/U4mhS90No6jhSyWukq zmMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=QQrwIXD5dDDpJmHwDNXT7LmVeplj3HZJ96SaM0Uz30w=; fh=pklE/jdp3wcX4PRoAmEe6SJokhZY4IVCz0hZlKI4oeg=; b=lF8Ac8EeTSqo/KfTzNuAWUTLQpFgleXqYk+RgyW750Fsc7YEfMGPui3Sg+ZSjaw2me iC8EvSfL4rFrsIRQZU0H5LFLYW1cjXCEb+s2l0VgDgCoR6POgL2+vk7M5xCKEEmNpoxn mdLTd+h9gI8vgyUD0PYFw2q9A8ltdQDz4XrXCiD5Eaq303+0bxpv1eY++JYyoWXeUtyf coaLWDOOYJwHd0SLm6vlOWWJfUlbQiW6iG3bmd9yyWNZqU3i9rLGpM/P1oNwG3dA9KMA /ZL/Nvjgg6owvroueztwzAJNHeJY0vhNpeZmacAeC+HDPY+TK7RH1O0X+JOsiHDx4g/O iq3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=gIacevkr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h10-20020a170906854a00b00992bfd00fdbsi9397911ejy.971.2023.08.01.18.23.53; Tue, 01 Aug 2023 18:24:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=gIacevkr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230115AbjHBBRq (ORCPT + 99 others); Tue, 1 Aug 2023 21:17:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34058 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229557AbjHBBRo (ORCPT ); Tue, 1 Aug 2023 21:17:44 -0400 Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2265C1FD6; Tue, 1 Aug 2023 18:17:43 -0700 (PDT) Received: by mail-qt1-x82c.google.com with SMTP id d75a77b69052e-4039a42467fso39542281cf.3; Tue, 01 Aug 2023 18:17:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690939062; x=1691543862; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=QQrwIXD5dDDpJmHwDNXT7LmVeplj3HZJ96SaM0Uz30w=; b=gIacevkryuRhr3Q5CxOfkxyGZNYAi3A6JsOpy5l5uAjH9gx7w98/vJ3U0yQKEGltai nObvQo/CiCnYQmVITE2VKTKBeE5gGfIG6SBipuIGuazuP/j5Ubos5pvC+hUvm56RRoM0 MYEP+BQQxgmJRw1X7QS+BxHjqMGlJjlWrMLJoFn5B+kaeTjZeeaFqKNi7OLoncAZ+NcF +K6hrWMqsiRQKlpMQmLLNT4yA1QOSRDVmPi833OfQFOA8B9f7Jjo65qMMPTlxOJYpygX /wYTtY8k+H3WuMXTf7Xlw5Pz+a/hQwiGizemw+DHD9Bvc4ySlQmMq/bpyhcWGjJCsuzB B/Hw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690939062; x=1691543862; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QQrwIXD5dDDpJmHwDNXT7LmVeplj3HZJ96SaM0Uz30w=; b=VTTKwzKP0XMIunSSlIVIyGJvYPEJ2okFbCV4lybpPBFYib7060wEkQPR7wkO/wwnnk 6Kk6SS3n5zipj6DHCDYdU2bNbdUJxHi9UyHCY4psGZKbOcNu176vG/0N3RgkjATv5th7 ModHI/Ha4f+DB3RmauIhexGM1vLbT3RNvwVznldwsAlvtnvcnnWOIQI1aI0H8MwAhc3L qK3Mc7yQhL7DBqKlTm2qtLgEvoGusD6DDkpYwfGOV9qU9Vknm6/TsDD5tWckYUYxD2MU 3BpzrbV7b6YW+9bN8f8DnqHt7mzjLt/Lkp+M6RNuHUab3OeMeWQq3Je72cmfLHjWLEcH NlWQ== X-Gm-Message-State: ABy/qLaN+DEoGsW6fZPm6JT5lRb9LyCzZ9YYG8jxIc/wMDTHxm0hq8x2 Qy+85rb+jhQwTDyIgb6T+X2B/n2vGtYKJpW33L0= X-Received: by 2002:a05:622a:1109:b0:403:1d93:b210 with SMTP id e9-20020a05622a110900b004031d93b210mr18963271qty.59.1690939061959; Tue, 01 Aug 2023 18:17:41 -0700 (PDT) MIME-Version: 1.0 References: <20230801112337.1856215-1-zhangshida@kylinos.cn> <20230801151828.GB11332@frogsfrogsfrogs> In-Reply-To: <20230801151828.GB11332@frogsfrogsfrogs> From: Stephen Zhang Date: Wed, 2 Aug 2023 09:17:05 +0800 Message-ID: Subject: Re: [PATCH v3] ext4: Fix rec_len verify error To: "Darrick J. Wong" Cc: tytso@mit.edu, adilger.kernel@dilger.ca, yi.zhang@huawei.com, linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org, zhangshida@kylinos.cn, stable@kernel.org, Andreas Dilger Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Darrick J. Wong =E4=BA=8E2023=E5=B9=B48=E6=9C=881=E6=97= =A5=E5=91=A8=E4=BA=8C 23:18=E5=86=99=E9=81=93=EF=BC=9A > > > This is sitll missing some pieces; what about this clause at line 367: > > if (t->det_reserved_zero1 || > le16_to_cpu(t->det_rec_len) !=3D sizeof(struct ext4_dir_entry= _tail) || > t->det_reserved_zero2 || > t->det_reserved_ft !=3D EXT4_FT_DIR_CSUM) > return NULL; > Yeah... > > @@ -445,13 +445,13 @@ static struct dx_countlimit *get_dx_countlimit(st= ruct inode *inode, > > struct ext4_dir_entry *dp; > > struct dx_root_info *root; > > int count_offset; > > + int blocksize =3D EXT4_BLOCK_SIZE(inode->i_sb); > > > > - if (le16_to_cpu(dirent->rec_len) =3D=3D EXT4_BLOCK_SIZE(inode->i_= sb)) > > + if (ext4_rec_len_from_disk(dirent->rec_len, blocksize) =3D=3D blo= cksize) > > count_offset =3D 8; > > - else if (le16_to_cpu(dirent->rec_len) =3D=3D 12) { > > + else if (ext4_rec_len_from_disk(dirent->rec_len, blocksize) =3D= =3D 12) { > > Why not lift this ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to a > local variable? @dirent doesn't change, right? > Will do. > > dp =3D (struct ext4_dir_entry *)(((void *)dirent) + 12); > > - if (le16_to_cpu(dp->rec_len) !=3D > > - EXT4_BLOCK_SIZE(inode->i_sb) - 12) > > + if (ext4_rec_len_from_disk(dp->rec_len, blocksize) !=3D b= locksize - 12) > > return NULL; > > root =3D (struct dx_root_info *)(((void *)dp + 12)); > > if (root->reserved_zero || > > What about dx_make_map? > dx_make_map( .... map_tail->size =3D le16_to_cpu(de->rec_len); That might be a questionable one... map_tail->size is 16 bit, while the key reason we want ext4_rec_len_from_di= sk is converting 16-bit rec_len disk form to a in-memory form consisting of li= ke 17 bits...i.e. 0x10000. Cheers, Shida > Here's all the opencoded access I could find: > > $ git grep le16.*rec_len fs/ext4/ > fs/ext4/namei.c:356: le16_to_cpu(d->rec_len)); > fs/ext4/namei.c:367: le16_to_cpu(t->det_rec_len) !=3D sizeof(struc= t ext4_dir_entry_tail) || > fs/ext4/namei.c:449: if (le16_to_cpu(dirent->rec_len) =3D=3D EXT4_BLOC= K_SIZE(inode->i_sb)) > fs/ext4/namei.c:451: else if (le16_to_cpu(dirent->rec_len) =3D=3D 12) = { > fs/ext4/namei.c:453: if (le16_to_cpu(dp->rec_len) !=3D > fs/ext4/namei.c:1338: map_tail->size =3D le16_to_cpu(de= ->rec_len); > > --D > > > -- > > 2.27.0 > >