Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp14802590ybl; Mon, 30 Dec 2019 17:42:23 -0800 (PST) X-Google-Smtp-Source: APXvYqz+SP9flFuOUCa664aSXmO4rLEEIqwdL983sW20iRyOfBwGQU7BHUZkAaFORpefV87aZx2G X-Received: by 2002:a05:6830:1d7b:: with SMTP id l27mr72243336oti.251.1577756543114; Mon, 30 Dec 2019 17:42:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1577756543; cv=none; d=google.com; s=arc-20160816; b=zI650AiC/tQtHjSDIavvS50KHGP2G6fOIjzRwRrWdzqabxmQxn8GQ6GrDmFzbyks1C 4X8coJMNoVpfKOKmGnFjoFuGP32/T7xWHD2kIxAu1TkEPX5wvKzz15yrlHpsBKnUv/eI wR4ENNssVRNpleQb61bbEznx/Cz4HO14JhxBP28s3XIe6mnEAMD0/QZjw+BxbW/Fysw0 /EPR7M+KMcQgQGmdaw9GhEJoiTNB/Jh1iPQqpOOTfKbw94jEGVME82CtBsPf0ZdF4JHN pAf1UbpeuPXSND8QmRbo4DaqnJPHTmYJ5AXwDKZwbc5nVq2BEb8UupCJ/nUhsLgPAW+w Jwow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=GVC3eSLUwitobPrin6NlR3ButN9j0vLqUYVpOx5nqN8=; b=Frq113WvohFVhyUNNTH/CeVLcK1mukovFf1VY+KsnExXw6EEb0u1aK5aqujx0S0PN5 QcbIb7GDE+oc2mou7vP6+YkKSd0eBrBiRRR8er/L5WIQwyghF+jaWKgV5O692lw5sqVf Gf6xhLk2qRak3Tyo3XdRPDUWoXGryPzhxJa70JORYCXb9c+3bHdK15MUaHgy+iWI8wFX ns+SAumv2ccq4Pzvv7skHXqThsxXRl1R0CqhH2C7iau6HuB3M2ROkaLjEjpRoudPoMb4 p1OW4oE1emyvttcxbmV0A4722F2Zi8mkygiL4fcixkbqbim19T5moDjUXWCJtXn+flmx h+vw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=tZN3Im8P; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p7si23964614ota.299.2019.12.30.17.42.00; Mon, 30 Dec 2019 17:42:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=tZN3Im8P; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725813AbfLaBl7 (ORCPT + 99 others); Mon, 30 Dec 2019 20:41:59 -0500 Received: from mail-wm1-f66.google.com ([209.85.128.66]:53588 "EHLO mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725379AbfLaBl7 (ORCPT ); Mon, 30 Dec 2019 20:41:59 -0500 Received: by mail-wm1-f66.google.com with SMTP id m24so890240wmc.3 for ; Mon, 30 Dec 2019 17:41:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GVC3eSLUwitobPrin6NlR3ButN9j0vLqUYVpOx5nqN8=; b=tZN3Im8Pqqk+5NWNekbMKSNnMqL3+RxU+5BSyzkf82bxpMuTXJzExTEJoESjk8QH8y as8Yf1RuOP6HBM7DFOqm8la82tng8YCgmFIPtDjtMZSetwTgCIO41Uu3qZWPs6R88i+d 5LxcmPjN3Xe4Nlr4wDs2mrkVMqEG7rpbDkb7tr4ysTeY2WVCOGkRHVGJK3beP96Wv9b5 3l5jjZifQfskMxaD59yiWc0hFSl2Qt1FqUJLB/FrcGb8NQbqDbf+viFJxmTD/PWxypTy kSJ31MRTbMv6fdZZaXB2wLp6ymNvQGLrxtVvMQBxxmrcbqUOdJBC5Z1NDygpjxG7D6G1 MvFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GVC3eSLUwitobPrin6NlR3ButN9j0vLqUYVpOx5nqN8=; b=uRzhWgytDJek2FlRguN1WMHwqicYyd8HtGTPNqof/krxqyxnd2DEK0sGP3Vj/Oad15 yGIV9QZd5TWdmGeA6ihKKKTFdsG3wQ76B09yTOm9WIW7Qan97GZhBL1LDW3OCbPgZyIo RSckooDK2zF4aGvLUugjTRkxIWOB4p0goJo/5oCVINcvJe4qOblPUTYxGHFo/pdTDbTG S3C41gj9mLJrup3NK1lIP8ul/PfHiTmIvFObwRT2VInRyKijJW360u0cxbbqy9pipmaK 4+D26KR9qXQ3gDP/6oF5YGuXn7SmaI/7aLQE5WHRsvvpzkaI0k+aVMVwamwUcyLI7Gs9 lY8g== X-Gm-Message-State: APjAAAUoQ6U4onsnnWog5vkla7Ab0g2mgB9KXtOuJz0uQ0JfjGVKa6Cd XykutIgQg3mjxlhMGl37Yem7nk4MUh7n/LdjZgU= X-Received: by 2002:a1c:3c8b:: with SMTP id j133mr1594147wma.66.1577756517094; Mon, 30 Dec 2019 17:41:57 -0800 (PST) MIME-Version: 1.0 References: <1574759039-7429-1-git-send-email-wangshilong1991@gmail.com> <1574759039-7429-2-git-send-email-wangshilong1991@gmail.com> <20191231005713.GA3669@mit.edu> In-Reply-To: <20191231005713.GA3669@mit.edu> From: Wang Shilong Date: Tue, 31 Dec 2019 09:41:36 +0800 Message-ID: Subject: Re: [PATCH 2/2] e2fsck: fix use after free in calculate_tree() To: "Theodore Y. Ts'o" Cc: Ext4 Developers List , Andreas Dilger , Li Xi , Wang Shilong Content-Type: text/plain; charset="UTF-8" Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org Looks good to me, thanks for refresh the patch! On Tue, Dec 31, 2019 at 8:57 AM Theodore Y. Ts'o wrote: > > Here is the version which I plan to use in e2fsprogs's maint branch. > > - Ted > > commit aacc234471a9a0ab6d8d6f610a0e4996e9bfc785 > Author: Wang Shilong > Date: Mon Dec 30 19:52:39 2019 -0500 > > e2fsck: fix use after free in calculate_tree() > > The problem is alloc_blocks() will call get_next_block() which might > reallocate outdir->buf, and memory address could be changed after > this. To fix this, pointers that point into outdir->buf, such as > int_limit and root need to be recaulated based on the new starting > address of outdir->buf. > > [ Changed to correctly recalculate int_limit, and to optimize how we > reallocate outdir->buf. -TYT ] > > Signed-off-by: Wang Shilong > Signed-off-by: Theodore Ts'o > > diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c > index 392cfe9f..54bc6803 100644 > --- a/e2fsck/rehash.c > +++ b/e2fsck/rehash.c > @@ -301,7 +301,11 @@ static errcode_t get_next_block(ext2_filsys fs, struct out_dir *outdir, > errcode_t retval; > > if (outdir->num >= outdir->max) { > - retval = alloc_size_dir(fs, outdir, outdir->max + 50); > + int increment = outdir->max / 10; > + > + if (increment < 50) > + increment = 50; > + retval = alloc_size_dir(fs, outdir, outdir->max + increment); > if (retval) > return retval; > } > @@ -645,6 +649,9 @@ static int alloc_blocks(ext2_filsys fs, > if (retval) > return retval; > > + /* outdir->buf might be reallocated */ > + *prev_ent = (struct ext2_dx_entry *) (outdir->buf + *prev_offset); > + > *next_ent = set_int_node(fs, block_start); > *limit = (struct ext2_dx_countlimit *)(*next_ent); > if (next_offset) > @@ -734,6 +741,9 @@ static errcode_t calculate_tree(ext2_filsys fs, > return retval; > } > if (c3 == 0) { > + int delta1 = (char *)int_limit - outdir->buf; > + int delta2 = (char *)root - outdir->buf; > + > retval = alloc_blocks(fs, &limit, &int_ent, > &dx_ent, &int_offset, > NULL, outdir, i, &c2, > @@ -741,6 +751,11 @@ static errcode_t calculate_tree(ext2_filsys fs, > if (retval) > return retval; > > + /* outdir->buf might be reallocated */ > + int_limit = (struct ext2_dx_countlimit *) > + (outdir->buf + delta1); > + root = (struct ext2_dx_entry *) > + (outdir->buf + delta2); > } > dx_ent->block = ext2fs_cpu_to_le32(i); > if (c3 != limit->limit) >