On Thu, May 23, 2019 at 08:48:43PM +0800, Chengguang Xu wrote: > Remove some redundant corruption checks in > ext4_xattr_block_get() and ext4_xattr_ibody_get() > because ext4_xattr_check_entries() has done those > checks. > > Signed-off-by: Chengguang Xu <cgxu519@xxxxxxxxxxx> I deliberately left in the redundant checks. That's because we still have issues where a buffer can be verified for some other block type (say, an allocation bitmap), but if that block is also referenced as an xattr block, we could cause a kernel crash, or worse, we might be end up corrupting kernel memory in some way that would lead to a privilege escalation test. I would actually prefer that we have enough tests ant the Time Of Use that we wouldn't need to check the whole xattr block the first time we read it into memory. The way we are doing it today, we are very much vulnerable to TOC/TOU bugs/vulnerabilities. In the long run we should making the xattr code so careful and robust that we wouldn't need to use the ext4_xattr_check_entries() except as a backup safety. (Today, we depend on it far too much, and there have been multiple example of deliberately/malicious crafted file systems which can bypass the checks in ext4_xattr_check_entries() check. Just scan fs/ext4/xattr.c for various CVE fixes....) So if anything we should be adding more checks to ext4_xattr_block_get(), et. al. - Ted
