Re: [PATCH v2 3/3] quota: Add more checking after reading from quota file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu 22-09-22 21:04:01, Zhihao Cheng wrote:
> It would be better to do more sanity checking (eg. dqdh_entries,
> block no.) for the content read from quota file, which can prevent
> corrupting the quota file.
> 
> Signed-off-by: Zhihao Cheng <chengzhihao1@xxxxxxxxxx>
> ---
>  fs/quota/quota_tree.c | 43 +++++++++++++++++++++++++++++++++----------
>  1 file changed, 33 insertions(+), 10 deletions(-)
> 
> diff --git a/fs/quota/quota_tree.c b/fs/quota/quota_tree.c
> index 47711e739ddb..54fe4ad71de5 100644
> --- a/fs/quota/quota_tree.c
> +++ b/fs/quota/quota_tree.c
> @@ -71,12 +71,12 @@ static ssize_t write_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf)
>  	return ret;
>  }
>  
> -static inline int do_check_range(struct super_block *sb, uint val,
> -				 uint min_val, uint max_val)
> +static inline int do_check_range(struct super_block *sb, const char *val_name,
> +				 uint val, uint min_val, uint max_val)
>  {
>  	if (val < min_val || val >= max_val) {
> -		quota_error(sb, "Getting block %u out of range %u-%u",
> -			    val, min_val, max_val);
> +		quota_error(sb, "Getting %s %u out of range %u-%u",
> +			    val_name, val, min_val, max_val);
>  		return -EUCLEAN;
>  	}

As I already wrote in my comments to v1, please create do_check_range()
already with this prototype in patch 1 so that you don't have to update it
(and all the call sites) in each of the patches. It makes review simpler.

> @@ -268,6 +270,11 @@ static uint find_free_dqentry(struct qtree_mem_dqinfo *info,
>  		*err = check_dquot_block_header(info, dh);
>  		if (*err)
>  			goto out_buf;
> +		*err = do_check_range(info->dqi_sb, "dqdh_entries",
> +				      le16_to_cpu(dh->dqdh_entries), 0,
> +				      qtree_dqstr_in_blk(info));
> +		if (*err)
> +			goto out_buf;

The checking of dqdh_entries belongs into check_dquot_block_header(). That
was the reason why it was created. So that all the checks are together in
one function...

>  	} else {
>  		blk = get_free_dqblk(info);
>  		if ((int)blk < 0) {
> @@ -349,6 +356,10 @@ static int do_insert_tree(struct qtree_mem_dqinfo *info, struct dquot *dquot,
>  	}
>  	ref = (__le32 *)buf;
>  	newblk = le32_to_cpu(ref[get_index(info, dquot->dq_id, depth)]);
> +	ret = do_check_range(dquot->dq_sb, "block", newblk, 0,
> +			     info->dqi_blocks);
> +	if (ret)
> +		goto out_buf;
>  	if (!newblk)
>  		newson = 1;
>  	if (depth == info->dqi_qtree_depth - 1) {
> @@ -461,6 +472,11 @@ static int free_dqentry(struct qtree_mem_dqinfo *info, struct dquot *dquot,
>  	}
>  	dh = (struct qt_disk_dqdbheader *)buf;
>  	ret = check_dquot_block_header(info, dh);
> +	if (ret)
> +		goto out_buf;
> +	ret = do_check_range(info->dqi_sb, "dqdh_entries",
> +			     le16_to_cpu(dh->dqdh_entries), 1,
> +			     qtree_dqstr_in_blk(info) + 1);

Again, the check of dqdh_entries should be in check_dquot_block_header().

> @@ -739,7 +756,13 @@ static int find_next_id(struct qtree_mem_dqinfo *info, qid_t *id,
>  		goto out_buf;
>  	}
>  	for (i = __get_index(info, *id, depth); i < epb; i++) {
> -		if (ref[i] == cpu_to_le32(0)) {
> +		uint blk_no = le32_to_cpu(ref[i]);
> +
> +		ret = do_check_range(info->dqi_sb, "block", blk_no, 0,
> +				     info->dqi_blocks);
> +		if (ret)
> +			goto out_buf;
> +		if (blk_no == 0) {
>  			*id += level_inc;
>  			continue;
>  		}

I'd leave checking for 0 first here - i.e.:
		if (ref[i] == cpu_to_le32(0)) {
  			*id += level_inc;
  			continue;
  		}

and only then do:
		blk_no = le32_to_cpu(ref[i]);
		ret = do_check_range(...);

There's no point in checking known-good value.

								Honza

-- 
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR



[Index of Archives]     [Reiser Filesystem Development]     [Ceph FS]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite National Park]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Media]

  Powered by Linux